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CONFroENTIALITY  OF  PATIENT  RECORDS 


THURSDAY,  FEBRUARY  17,  2000 

House  of  Representatives,        p        i  F 
Committee  on  Ways  and  Means, 

Subcommittee  on  Health, 

Washington,  DC. 
The  Subcommittee  met,  pursuant  to  notice,  at  11:37  a.m.,  in 
room  1100,  Longworth  House  Office  Building,  Hon.  Bill  Thomas 
(Chairman  of  the  Subcommittee)  presiding. 
[The  advisory  announcing  the  hearing  follows:] 
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ADVISORY 

FROM  THE  COMMITTEE  ON  WAYS  AND  MEANS 


SUBCOMMITTEE  ON  HEALTH 

FOR  IMMEDIATE  RELEASE  ,  CONTACT:  (202)  225-3943 

February  11,  2000 

No.  HI^13  h 

Thomas  Announces  Hearing  on 
the  Confidentiality  of  Patient  Records 

Congressman  Bill  Thomas  (R-CA),  Chairman,  Subcommittee  on  Health  of  the 
Committee  on  Ways  and  Means,  today  announced  that  the  Subcommittee  will  hold 
a  hearing  on  the  Administration's  proposed  regulations  regarding  privacy  of  individ- 
ually identifiable  health  information.  The  hearing  will  take  place  on  Thursday,  Feb- 
ruary 17,  2000,  in  the  main  Committee  hearing  room,  1100  Longworth  House  Office 
Building,  beginning  at  10:00  a.m. 

In  view  of  the  hmited  time  available  to  hear  witnesses,  oral  testimony  at  this 
hearing  will  be  from  invited  witnesses  only.  The  Subcommittee  will  receive  testi- 
mony from  a  representative  of  the  U.S.  Department  of  Health  and  Human  Services 
(HHS),  and  from  a  variety  of  private  sector  witnesses  representing  different  perspec- 
tives from  within  the  health  care  system.  However,  any  individual  or  organization 
not  scheduled  for  an  oral  appearance  may  submit  a  written  statement  for  consider- 
ation by  the  Conmiittee  and  for  inclusion  in  the  printed  record  of  the  hearing. 

BACKGROUND: 

Congress  addressed  the  issue  of  medical  record  confidentiahty  in  1996  when  it 
passed  administrative  simplification  requirements  for  electronic  health  transactions 
as  part  of  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  P.L. 
104-191).  HIPAA  required  the  Secretary  of  HHS  to  make  recommendations  to  Con- 
gress about  how  to  better  protect  the  confidentiality  of  personal  health  information 
that  is  transmitted  electronically.  The  Secretary  submitted  her  recommendations  to 
Congress  in  September  of  1997.  Additionally,  Congress  granted  the  Secretary  the 
authority  to  draft  regulations  if  a  privacy  law  was  not  enacted  by  August  21,  1999. 
On  November  3,  1999,  HHS  pubhshed  a  Notice  of  Proposed  Rule  Making  for  "Stand- 
ards for  Privacy  of  Individually  Identifiable  Health  Information."  The  comment  pe- 
riod for  this  ruling  was  extended  until  February  17,  2000,  and  a  final  ruUng  will 
follow.  Generally,  covered  entities  must  comply  with  these  regulations  no  later  than 
24  months  following  the  effective  date  of  the  final  rule. 

The  proposed  rule  establishes  standards  to  protect  the  privacy  of  individually 
identifiable  health  information  maintained  or  transmitted  electronically  in  connec- 
tion with  one  of  the  mandated  electronic  transaction  standards  established  by 
HIPAA.  Since  the  release  of  the  proposed  ruling,  many  provider  groups,  health  care 
organizations,  and  privacy  advocates  have  expressed  various  concerns  about  dif- 
ferent interpretations  of  the  regulation,  and  its  potential  impUcations.  As  a  result, 
thousands  of  comments  are  expected  to  be  submitted  on  the  regulation  by  the  end 
of  the  comment  period. 

In  announcing  the  hearing,  Chairman  Thomas  stated:  "Protecting  the  confiden- 
tiality of  personal  health  information  is  critical  to  ensuring  patient  confidence  in  our 
health  care  system.  The  Secretary  has  taken  on  a  monumental  task.  She  has  tried 
to  lay  out  a  comprehensive  framework  for  regulating  the  flow  of  virtually  all  health 
care  information,  while  still  allowing  data  to  be  used  to  further  research  that  wiU 
improve  patient  care.  This  hearing  is  intended  to  assist  us  in  determining  whether 
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the  regulation  will  ultimately  prove  to  be  workable  or  whether  legislation  might  be 
necessary." 

FOCUS  OF  THE  HEARING: 

The  hearing  will  focus  on  various  aspects  of  the  Department's  proposed  confiden- 
tiality regulation,  and  examine  what  implications  the  rule  presents  for  Medicare 
and  the  private  health  sector. 

DETAILS  FOR  SUBMISSION  OF  WRITTEN  COMMENTS: 

Any  person  or  organization  wishing  to  submit  a  written  statement  for  the  printed 
record  of  the  hearing  should  submit  six  (6)  single-spaced  copies  of  their  statement, 
along  with  an  IBM  compatible  3.5-inch  diskette  in  WordPerfect  or  MS  Word  format, 
with  their  name,  address,  and  hearing  date  noted  on  a  label,  by  the  close  of  busi- 
ness, Thursday,  March  2,  2000,  to  A.L.  Singleton,  Chief  of  Staff,  Committee  on 
Ways  and  Means,  U.S.  House  of  Representatives,  1102  Longworth  House  Office 
Building,  Washington,  D.C.  20515.  If  those  filing  written  statements  wish  to  have 
their  statements  distributed  to  the  press  and  interested  public  at  the  hearing,  they 
may  deHver  200  additional  copies  for  this  purpose  to  the  Subcommittee  on  Health 
office,  room  1136  Longworth  House  Office  Building,  by  close  of  business  the  day  be- 
fore the  hearing. 

FORMATTING  REQUIREMENTS: 

Each  statement  presented  for  printing  to  the  Committee  by  a  witness,  any  written  statement 
or  exhibit  submitted  for  the  printed  record  or  any  written  comments  in  response  to  a  request 
for  written  comments  must  conform  to  the  guidelines  listed  below.  Any  statement  or  exhibit  not 
in  compliance  with  these  guidelines  will  not  be  printed,  but  will  be  maintgiined  in  the  Committee 
files  for  review  and  use  by  the  Committee. 

1.  All  statements  and  any  accompanying  exhibits  for  printing  must  be  submitted  on  an  IBM 
compatible  3.5-inch  diskette  in  WordPerfect  or  MS  Word  format,  typed  in  single  space  and  may 
not  exceed  a  total  of  10  pages  including  attachments.  Witnesses  are  advised  that  the  Committee 
will  rely  on  electronic  submissions  for  printing  the  official  hearing  record. 

2.  Copies  of  whole  documents  submitted  as  exhibit  material  will  not  be  accepted  for  printing. 
Instead,  exhibit  material  should  be  referenced  and  quoted  or  paraphrased.  All  exhibit  material 
not  meeting  these  specifications  will  be  maintained  in  the  Committee  files  for  review  and  use 
by  the  Committee. 

3.  A  witness  appearing  at  a  public  hearing,  or  submitting  a  statement  for  the  record  of  a  pub- 
lic hearing,  or  submitting  written  comments  in  response  to  a  published  request  for  comments 
by  the  Committee,  must  include  on  his  statement  or  submission  a  list  of  all  clients,  persons, 
or  organizations  on  whose  behalf  the  witness  appears. 

4.  A  supplemental  sheet  must  accompany  each  statement  listing  the  name,  company,  address, 
telephone  and  fax  numbers  where  the  witness  or  the  designated  representative  may  be  reached. 
This  supplemental  sheet  will  not  be  included  in  the  printed  record. 

The  above  restrictions  and  limitations  apply  only  to  material  being  submitted  for  printing. 
Statements  and  exhibits  or  supplementary  material  submitted  solely  for  distribution  to  the 
Members,  the  press  and  the  public  during  the  course  of  a  public  hearing  may  be  submitted  in 
other  forms. 


Note:  All  Committee  advisories  and  news  releases  are  available  on  the  World 
Wide  Web  at  "http://waysandmeans.house.gov". 

The  Committee  seeks  to  make  its  facihties  accessible  to  persons  with  disabilities. 
If  you  are  in  need  of  special  accommodations,  please  call  202-225-1721  or  202-226- 
3411  TTD/TTY  in  advance  of  the  event  (four  business  days  notice  is  requested). 
Questions  with  regard  to  special  accommodation  needs  in  general  (including  avail- 
ability of  Committee  materials  in  alternative  formats)  may  be  directed  to  the  Com- 
mittee as  noted  above. 
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Chairman  Thomas.  The  subcommittee  will  come  to  order.  When 
I  was  younger  there  was  a  little  rhjnne  that  my  mother  used  to  re- 
cite to  me  and  I  never  really  appreciated  it  as  much  as  I  do  now 
when  the  House  is  not  going  to  meet  and  vote  today,  and  members 
make  choices.  We  had  planned  on  voting  today.  We  will  not  have 
as  many  members  at  this  hearing  as  we  obviously  would  like. 
There  are  others  that  are  forced  to  arrive  a  little  late  because  of 
other  factors. 

But  the  little  rhyme  was  that  man  works  from  sun  to  sun,  a 
woman's  work  is  never  done.  This  committee  has  a  decidedly  fe- 
male bent  in  terms  of  the  workload  that  we  have.  But  we  are  deal- 
ing with  a  number  of  issues  in  which  we  need  to  lay  a  hearing 
record  fairly  early,  and  frankly,  I  believe  February  is  a  fairly  early 
time  period,  in  looking  at  issues  such  as  medical  errors,  prescrip- 
tion drug  being  integrated  into  Medicare. 

Nothing  is  probably  more  important  since  it  undergirds  many  of 
those  areas,  the  question  of  medical  records,  confidentiality  of  those 
records.  But  more  importantly,  the  ability  to  use  those  records  in 
a  confidential  way  to  continue  to  work  on  a  systematic  examination 
of  medical  decisions  for  outcomes  policy  and  for  making  sure  that 
with  the  limited  dollars  available,  to  try  to  stretch  as  far  as  we  can 
to  provide  health  care  to  a  number  of  individuals  in  our  society, 
among  those  the  eldest  and  the  most  needy,  the  taxpayers'  dollars 
are  spent  in  the  wisest  possible  way. 

Congress  addressed  the  issue  of  medical  record  confidentiality  in 
1966,  although  the  whole  question  of  confidentiality  in  the  general 
area  of  records  has  been  looked  at  since  the  1970s.  In  the  legisla- 
tion, the  Health  Insurance  Portability  and  Accoimtability  Act,  there 
was  a  positive  attempt  to  get  at  especially  the  area  of  electronic 
health  transactions.  We  had  a  deadline  for  Congress  to  act,  but 
with  some  degree  of  prescience  said  that  if  we  did  not,  the  Sec- 
retary of  Health  and  Human  Services  should  go  forward  with  the 
attempt. 

The  context  in  which  we  examine  the  Secretary's  attempt,  and 
indeed  look  at  Congressional  attempts,  one  to  meet  the  deadline, 
and  continue  to  try  to  produce  policy  after  the  deadline  even  today, 
is  one  that  I  think  has  been  an  honest  effort  to  deal  with  a  very 
difficult  area.  There  are  some  I  think  who  would  like  to  politicize 
this  area  as  they  are  attempting  to  politicize  other  areas,  and  use 
it  for  whatever  political  advantage  they  may  think. 

As  far  as  serving  the  society  in  the  areas,  for  example,  that  we 
have  held  committee  hearings  on  and  this  one  today,  I  hope  that 
we  will  try  to  tone  down  the  politics.  That  is,  the  assumption  that 
people  who  are  in  opposition  to  some  attempt  to  create  confidential- 
ity ill  some  manner  have  ulterior  motives. 

I  think  when  you  look  at  it  fi-om  the  number  of  different  perspec- 
tives that  people  look  at  it,  they  all  see  the  problem  from  a  slightly 
different  perspective  and  try  to  examine  it  fi-om  how  they  fit  into 
the  proposed  scheme.  Indeed,  I  am  hopeful  that  with  the  initial 
panel  of  Health  Care  Financing  Administration  and  the  other  pan- 
els it  will  be  clearly  illustrated  that  to  a  very  great  extent  beauty 
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is  in  the  eye  of  the  beholder,  depending  upon  how  you  see  yourself 
within  this  larger  structure. 

So  we  come  today  with  the  last  day  of  the  extended  comment  pe- 
riod closing,  and  that  is  one  of  the  reasons  I  wanted  to  make  sure 
that  we  had  a  hearing  today.  Now  generally,  covered  entities  must 
comply  with  these  regulations  no  later  than  24  months  following 
the  effective  date  of  the  final  rule.  As  we  have  seen  with  other  leg- 
islation, that  may  be  forever.  Our  goal  is  not  to  have  that  happen. 
To  the  degree  regulations  that  seem  to  be  generally  supported  can- 
not be  finalized,  then  obviously  legislation  is  even  more  critical. 

So  let  me  just  preface  our  discussion  by  stating  that  the  Sec- 
retary has  undertaken  a  monumental  task.  I  strongly  support  the 
overall  goals  of  her  proposal.  Within  the  confines  of  the  health  care 
legislation  the  Secretary  has  tried  to  lay  out  a  comprehensive 
fi-amework  while  still  allowing  the  data  to  be  used  for  research, 
quahty  improvement,  case  and  disease  management,  and  other  im- 
portant purposes  that  sometimes  we  fail  to  realize  how  important 
they  are  until  someone  in  one  particular  niche  comes  to  us  and 
says,  you  did  not  think  about  me.  You  did  not  realize  that  we  do 
these  sorts  of  things. 

So  this  hearing  is  intended  to  assist  us  in  determining  whether 
the  regulation  will  ultimately  prove  to  be  workable  or  whether,  as 
I  said,  we  really  need  to  have  legislation  notwithstanding  the  best 
efforts.  Obviously  from  the  number  of  words  on  pages  with  this 
proposed  ruling  it  is  evident  this  is  a  complicated  issue.  From  all 
indications,  and  I  think  we  have  got — hopefully  in  the  testimony 
we  will  get  some  indication  of  the  number  of  public  comments. 
Since  this  is  nearing  the  last  day  you  may  get  additional,  but  you 
should  have  a  pretty  good  idea  of  the  coimt. 

Frankly,  this  is  helpful,  useful.  This  kind  of  scrutiny  is  good. 
This  is  a  very  important  area  that  we  get  right.  Everyone  agrees 
that  patient  records  should  be  kept  confidential.  The  difficulties 
come  in  determining  the  best  way  to  accomplish  that  goal.  How 
much,  to  what  degree,  in  what  instance,  how  clear  is  it?  To  me,  the 
importance  of  this  issue  in  health  policy  cannot  be  overstated.  In 
fact  it  undergirds  our  attempts,  especially  in  areas  such  as  medical 
errors,  to  get  it  right. 

So  what  we  really  need  to  do  is  listen  carefully  to  all  of  the  con- 
cerns, and  indeed  some  of  the  difficulties  of  the  Secretary  in  trying 
to  put  together  a  package,  so  that  in  our  effort  to  maintain  con- 
fidentiality we  minimally  hinder,  if  at  all,  the  flow  of  information 
that  is  essential  to  the  delivery  of  quality  health  care  and  improv- 
ing the  quality  of  care  for  patients  in  the  future. 

The  Secretary's  effort  represents  the  Administration's  initial  at- 
tempt after  several  false  starts  at  resolving  this  very  perplexing 
policy  challenge.  Today  begins  this  committee's  examination  of 
whether  or  not  the  effort  is  minimally  acceptable  or  whether  we 
are  going  to  have  to  enter  the  legislative  thicket  in  dealing  with 
that. 

[The  opening  statement  follows:] 

Opening  Statement  of  Chairman  William  M.  Thomas,  a  Representative  in 
Congress  from  the  State  of  California 

Good  morning  and  welcome.  Congress  addressed  the  issue  of  medical  record  con- 
fidentiality in  1996  when  it  passed  administrative  simplification  requirements  for 
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electronic  health  transactions.  This  legislation,  the  Health  Insurance  Portability  and 
Accountabihty  Act  (or  HIPAA),  required  the  Secretary  of  Health  and  Human  Serv- 
ices to  make  recommendations  to  Congress  on  how  to  better  protect  the  confidential- 
ity of  personal  health  information  that  is  transmitted  electronically.  The  Secretary 
submitted  her  recommendations  to  us  in  September  of  1997.  Additionally,  Congress 
granted  the  Secretary  the  authority  to  draft  regulations  if  a  confidentiahty  law  was 
not  enacted  by  August  21,  1999.  On  November  3,  1999,  Health  and  Himian  Services 
pubUshed  their  proposed  regulations  for  medical  record  confidentiahty.  The  com- 
ment period  for  this  ruling  was  extended,  upon  our  urging,  xmtil  today,  February 
17,  2000,  and  a  final  ruling  will  follow.  Generally,  covered  entities  must  comply  with 
these  regulations  no  later  than  24  months  following  the  effective  date  of  the  final 
rule. 

Let  me  just  preface  our  discussion  by  stating  that  the  Secretary  has  undertaken 
a  monumental  task  and  I  strongly  support  the  overall  goals  of  her  proposal.  She  has 
tried  to  lay  out  a  comprehensive  framework  for  regulating  the  flow  of  health  care 
information,  while  still  allowing  data  to  be  used  for  research,  quahty  improvement, 
case  and  disease  management,  and  other  important  purposes  that  will  improve  pa- 
tient care.  Today  the  Subcommittee  will  be  examining  these  proposed  regulations 
and  the  possible  effects  that  they  may  have  on  the  health  care  system.  This  hearing 
is  intended  to  assist  us  in  determining  whether  the  regulation  will  ultimately  prove 
to  be  workable  or  whether  additional  legislation  might  be  necessary.  From  the 
length  of  the  proposed  ruhng,  it  is  quite  evident  that  this  is  a  compUcated  issue. 
From  all  indications,  HHS  will  have  received  a  deluge  of  pubhc  comments  by  the 
end  of  today  regarding  this  issue.  This  kind  of  scrutiny  is  good.  For  this  rule  will 
have  broad  implications.  One  thing  is  clear,  we  need  to  get  this  one  right.  Everyone 
agrees  that  patient  records  should  be  kept  confidential,  the  difficulties  come  in  de- 
termining the  best  way  to  accomphsh  this  goal. 

To  me,  the  importance  of  this  issue  in  health  poUcy  cannot  be  overstated.  It  is 
imperative  that  we  ensure  the  confidentiahty  of  Medicare  beneficiaries'  health  infor- 
mation. Protecting  the  confidentiahty  of  this  information  is  critical  to  ensuring  pa- 
tient confidence  in  our  health  care  system.  Yet,  it  is  equally  important  that,  in  the 
effort  to  maintain  confidentiahty,  we  do  not  hinder  the  flow  of  information  that  is 
essential  to  the  dehvery  of  quahty  health  care,  and  to  improving  the  quality  of  care 
for  patients  in  the  future.  The  Secretary's  regulation  represents  the  Administra- 
tion's initial  attempt  at  resolving  this  perplexing  pohcy  challenge.  My  hope  is  that 
today's  hearing  will  be  instrumental  in  helping  us  determine  whether  this  initial  at- 
tempt strikes  the  right  balance. 


With  that  I  would  yield  to  my  colleague  from  Washington,  some- 
one who  has  a  significant  interest  in  this  area  and  has  attempted 
on  his  own  in  the  past  to  help  resolve  the  difficulties  in  this  area. 
The  gentleman  from  Washington,  Mr.  McDermott. 

Mr.  McDermott.  Thank  you,  Mr.  Chairman.  I  want  to  comment 
you  on  having  this  hearing,  and  I  think  that  as  you  rightly  state 
it  is  not  a  partisan  issue.  It  is  an  issue  of  extreme  importance  I 
think  for  the  health  care  system  in  this  coimtry.  For  that  reason 
I  think  that  it  is  important  that  we  start  as  early  in  the  session 
as  we  come  airing  the  issues  so  that  if  we  are  going  to  write  legis- 
lation in  this  session  we  ought  to  have  an  opportunity  to  actually 
let  the  public  be  involved  in  the  process. 

I  practiced  as  a  psychiatrist  for  about  20  years  so  privacy  and  pa- 
tient's confidence  that  what  he  or  she  said  to  me  would  remain  pri- 
vate has  always  been  a  crucial  component  of  my  personal  practice, 
but  it  is  in  all  of  medicine.  It  is  the  basis  for  going  to  a  doctor  and 
saying  to  a  doctor  what  my  problem  is.  If  you  do  not  trust  the  phy- 
sician, or  the  nurse  or  whoever  the  health  provider  is  that  this  in- 
formation is  going  to  be  kept  private,  you  are  liable  to  withhold  or 
tell  only  half  the  story  or  whatever.  So  it  is  important  if  you  are 
going  to  get  good  health  care  that  you  have  privacy  guaranteed. 


7 


But  it  is  more  than  as  an  observer  of  standard  medical  practice 
that  I  became  convinced  we  need  strong  Federal  privacy  laws.  Hav- 
ing had  surgery  I  have  had  already  the  impacts  of  getting  a  medi- 
cation and  then  getting  mailings  from  people  that  I  did  not  know 
where  they  came  from.  I  do  not  know  who  let  these  companies 
know  that  I  was  on  a  particular  medication  and  therefore  should 
send  me  medical  device  information.  It  is  everywhere  and  every- 
body is  being  impacted  on  it,  including  members  of  Congress.  This 
is  not  something  that  is  Democrats  or  Republicans.  It  is  everybody 
in  this  country  who  receives  health  care  is  a  part  of  this  system. 

Now  Congress  had,  as  the  chairman  rightly  says,  a  chance  to  es- 
tablish standards  but  up  to  this  point  we  have  not  done  it.  So  I 
would  like  to  commend  the  Administration,  especially  Secretary 
Shalala,  for  doing  what  the  Congress  so  far  has  been  unable  to  do 
and  moving  forward  with  the  medical  confidentiality  standards.  I 
want  to  thank  the  Secretary  and  the  department  for  working  with- 
in the  constraints  placed  upon  them  by  the  Congress  and  delivering 
a  good  regulation. 

Based  on  the  thousands  of  comments — I  understand  the  figure  is 
in  excess  of  30,000  or  40,000 — HHS  has  been  receiving  on  this 
issue  it  is  safe  to  say  that  they  must  be  on  the  right  trace,  because 
they  are  coming  from  both  sides  or — there  really  is  more  than  two 
sides.  There  are  about  nine  sides  to  this  issue. 

But  in  spite  of  the  good  faith  efforts  by  the  Administration  I 
think  we  all  receive  that  adequate  systemic  protection  of  medical 
privacy  cannot  be  achieved  simply  by  regulation.  When  Congress 
passed  the  Health  Insurance  Portability  and  Accountability  Act, 
the  so-called  HIPAA,  Congress  gave  itself  two  years  to  do  this.  And 
if  we  did  not  act  we  said  Donna  Shalala,  the  Secretary,  should  do 
it.  But  we  imposed  severe  restrictions — and  I  want  to  emphasize 
that — on  the  Secretary.  These  constraints  are  reflected  by  the  nar- 
row scope  of  the  regulation  that  we  have  before  us.  In  my  view  it 
is  a  narrow  scope. 

As  members  of  the  conmiittee  and  as  the  Congress  begins  to 
think  about  this  I  think  we  have  to  keep  in  mind  that  we  pre- 
vented the  Secretary  from  doing  more  than  is  in  this  regulation. 
The  only  entities  that  are  directly  covered  by  the  regulation  are 
health  care  providers,  health  care  plans,  and  health  data  clearing- 
houses. Additionally,  the  regulation  only  applies  to  electronic 
records. 

Now  I  am  the  only  one  on  the  dais  that  ever  filled  out  a  health 
care  record,  kept  records.  Most  of  it  is  written,  or  has  been  for  a 
very  long  time.  The  advent  of  the  computer  has  changed  it  obvi- 
ously, but  for  the  regulation  only  to  deal  with  electronic  data  seems 
to  me  an  unnecessary  or  an  improper  narrowing  of  the  scope  of  the 
regulation. 

In  addition,  we  also  said  there  was  a  limited  enforcement  mecha- 
nism and  no  right  to  sue.  If  your  information  is  used  against  you 
and  you  are  unable  to — if  you  are  damaged  in  some  way  or  feel  you 
are,  you  have  no  right  to  go  to  the  courts. 

Now  by  restricting  the  entities  covered  by  the  regulation  we  left 
a  huge  vacuum  of  unregulated  entities.  For  instance,  researchers 
and  oversight  agencies  that  collect,  use,  and  disclose  protected 
health  information  will  not  be  directly  covered.  Clearly,  the  only 
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way  to  ensure  that  all  parties  to  sensitive  health  information  are 
required  to  maintain  privacy  is  through  strong  and  comprehensive 
legislation.  That  is  why  I  think  the  chairman  is  correct  in  holding 
this  hearing  and  setting  us  on  the  road. 

Now  I  started  in  1995  on  this  issue  after  I  read  an  article  in  the 
New  York  Times  Sunday  magazine  section  about  a  young  man  who 
had  a  disease  called  Marie-Tooth  disease.  It  is  a  very  rare  upper 
limb  muscular  dystrophy  which  makes  weak  upper  arms.  He  was 
taken  and  they  did  the  genetic  testing  on  him  and  all  of  this,  and 
they  did  the  coimseling  with  the  family. 

The  family  thought  that  was  the  end  of  it  imtil  about  three 
months  later  the  father  lost  his  auto  insurance.  Now  he  lost  his 
auto  insurance  without  a  moving  violation,  with  an  accident.  Just 
got  a  notice,  you  no  longer  are  covered  by  our  company.  He  started 
to  investigate  this  and  they  told  him  that  they  had  discovered  that 
his  son's  disease  was  a  genetic  disease  and  they  did  not  want  any- 
body who  had  that  disease  to  have  their  automobile  insurance. 

Now  you  ask  yourself,  how  did  that  get  from  the  doctor's  office 
to  the  auto  insurance  company  that  pulled  his  policy?  It  is  because 
we  are  all  open  to  this,  the  entire  public  at  this  point  can  be  af- 
fected by  that  thing.  And  I  hope  that  the  chairman  will  be  willing 
to  work  with  members  of  the  entire  committee  on  this  issue.  I 
think  we  have  started  well  and  I  think  it  is  a  good  thing  to  do  be- 
cause this  is  an  issue  that  affects  everyone.  It  is  not  going  to  get 
better.  It  is  going  to  get  worse  as  we  go  down  the  road. 

It  is  increasingly  difficidt  to  ensure  the  privacy  of  sensitive 
health  information  because  of  the  tremendous  technological  ad- 
vances and  the  more  efficient  transmittal  of  large  quantities  of 
data.  Computers  have  absolutely  revolutionized  the  way  medical 
information  is  collected,  stored,  and  disseminated.  If  you  walk 
through  a  hospital,  doctors  have  computers  in  their  lap  and  they 
are  typing  things  into  them  and  then  dumping  them  into  the  larger 
mainframe  and  away  it  goes.  So  without  adequate,  enforceable  con- 
trols, this  information  can  easily  be  used  to  breach  the  privacy  of 
patients  and  to  allow  discrimination  against  them. 

Now  rightly,  Americans  are  becoming  increasingly  concerned 
about  this  lack  of  privacy.  If  we  do  not  step  in  with  strong  protec- 
tions we  will  seriously  undermine  the  credibility  of  the  health  care 
system.  That  is,  the  doctor-patient  relationship  which  we  say  we 
want  to  protect.  But  there  is  another  issue  which  I  want  to  put  on 
the  table  and  I  think  in  some  ways  this  hearing  is  really  a  precur- 
sor for  a  much  bigger  problem  down  the  road. 

The  United  States  Government  has  spent  billions  of  dollars  in 
something  called  the  human  genome  project.  Soon  we  will  have  a 
map  of  the  entire  genetic  makeup  of  the  body.  But  while  this  sci- 
entific advance  carries  with  it  many  promising  benefits,  it  also 
raises  significant  concerns  about  privacy. 

One  test  can  determine  a  woman's  potential  susceptibility  to 
breast  cancer.  The  work  was  done  at  the  University  of  Washington 
by  a  Dr.  Mary  Claire  King  and  I  know  intimately  what  went  on 
in  that  whole  thing.  But  many  in  this  country  are  unwilling  to  be 
tested  because  they  are  fearful  that  if  it  gets  into  their  record  that 
they  have  the  gene,  or  it  is  in  their  record  and  their  children  are 
also  receiving  treatment  or  need  treatment  or  are  wondering  about 
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it,  they  may  lose  insurance.  The  fear  about  having  that  genetic  in- 
formation known  and  in  the  computer  system  is  a  restraint  on  the 
kinds  of  prevention  that  would  be  possible  if  we  had  good  assur- 
ance of  privacy. 

So  we  must  ensure  that  our  citizens  can  take  advantage  of  medi- 
cal breakthroughs  without  the  worry  that  information  may  be  used 
against  them. 

To  I  think  we  will  also  hear  concerns  from  companies.  Some  of 
the  information  that  I  read  comes  from  companies  that  make 
money  from  marketing  of  sensitive  health  information.  But  I  be- 
lieve medical  records  must  not  be  commodities  that  are  bought  and 
sold.  I  think  we  may  hear  many  claims  that  the  new  regulation 
must  not  interfere  with  those  particular  interests,  but  the  group  we 
have  to  listen  to  most  carefully  in  my  view  are  the  patients  and 
their  families.  Think  about  your  own  family  records  being  available 
for  anyone  to  look  at  and  you  immediately  see  what  the  problem 
is. 

Now  the  question  we  have  to  ask  ourselves  as  we  write  legisla- 
tion is,  what  value  can  you  place  on  the  confidentiality  of  a  doctor- 
patient  relationship?  It  is  essential  that  we  protect  the  privacy  of 
individuals,  including  their  genetic  privacy.  Good  legislation  can 
ensure  that  the  new  technologies  are  used  not  to  deny  care  or  to 
deny  medical  privacy,  but  to  benefit  all  of  us. 

Mr.  Chgdrman,  as  I  close  I  would  like  to  enter  in  the  record  the 
following  statements,  one  from  Congresswoman  Louise  Slaughter, 
one  from  the  American  Psychiatric  Association,  one  from  the  Amer- 
ican Psychoanal3rtic  Association,  one  from  AFSME,  one  from  the 
Consortium  for  Citizens  for  Disabilities,  and  one  from  the  National 
Breast  Cancer  Coalition,  and  finally  I  would  like  attached  a  letter 
signed  by  a  number  of  members  of  the  Congress  who  are  interested 
in  this  whole  issue.  This  is  a  beginning  of  what  I  think  is  a  very 
important  process  and  I  commend  you  on  it. 

Chairman  Thomas.  Without  objection,  those  will  be  submitted  for 
the  record. 

[The  opening  statement  and  material  follow:] 

Opening  Statement  of  Jim  McDermott,  a  Representative  in  Congress  from 
the  State  of  Washington 

want  to  thank  Chairman  Thomas  and  the  ranking  member,  Mr.  Stark,  for  yield- 
ing me  time  to  talk  about  medical  privacy,  an  issue  that  I  have  been  concerned 
about  for  some  time. 

Most  of  you  know  that  I  was  a  practicing  psychiatrist  for  more  than  30  years.  Pri- 
vacy, and  the  patient's  confidence  that  what  he  or  she  says  will  remain  private,  is 
a  crucial  component  of  that  profession.  But  more  than  that,  as  an  observer  of  stand- 
ard medical  practices,  I  became  convinced  that  we  need  a  strong  federal  privacy  law 
protecting  patients. 

Congress  had  a  chance  to  establish  those  standards  but  couldn't  do  it.  So  I  would 
like  to  commend  the  Administration,  especially  Secretary  Shalala,  for  doing  what 
the  Congress  hasn't  been  able  to  do  and  moving  forward  with  medical  confidentiality 
standards. 

I  thank  the  Secretary  and  the  Department  for  working  within  the  constraints 
placed  on  them  by  Congress  and  delivering  a  good  regulation.  Based  on  the  thou- 
sands of  comments  HHS  is  receiving  from  all  sides  of  the  issue,  it  is  safe  to  say 
they  are  on  the  right  track. 

But  despite  those  good-faith  efforts  by  the  administration,  I  think  we  all  realize 
that  adequate,  systemic  protection  of  medical  privacy  cannot  be  achieved  through 
regulation. 
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When  Congress  passed  The  Health  Insurance  Portabihty  and  Accountability  Act 
(HIPAA),  Congress  gave  itself  two  years  to  write  comprehensive  privacy  regulations. 
If  we  did  not  act — and  we  didn't — then  Secretary  Shalala  could  issue  rules.  But  we 
imposed  some  strict  constraints  on  the  secretary.  These  constraints  are  reflected  by 
the  narrow  scope  of  the  regulation  before  us. 

As  the  members  of  the  subcommittee  listen  to  the  testimony  today,  I  urge  you  to 
keep  in  mind  what  we  prevented  the  Secretary  from  doing.  The  only  entities  that 
are  directly  covered  by  the  regulation  are  health  care  providers,  headth  plans,  and 
health  data  clearinghouses.  Additionally,  the  regulation  only  applies  to  electronic 
records — ^not  even  paper  records  are  protected — and  there  is  a  limited  enforcement 
mechanism,  and  no  right  to  sue. 

By  restricting  the  entities  covered  by  the  regulation,  we  have  left  a  large  vacuum 
of  unregulated  entities.  For  instance,  researchers  and  oversight  agencies  that  col- 
lect, use,  and  disclose  protected  health  information  will  not  be  directly  covered, 

I  applaud  the  Secretary's  effort  to  hmit  disclosures  by  binding  the  business  part- 
ners of  cover  entities  through  contracts.  This  intermediary  step  heads  in  the  right 
direction  by  ensuring  the  rights  of  patients  are  not  violated.  Unfortunately,  it  tar- 
gets the  liabihty  on  covered  entities,  while  failing  to  prevent  re-disclosures  by  enti- 
ties that  are  not  covered. 

The  intent  of  HIPAA's  Administrative  Simphfication  section  was  to  move  the 
health  care  industry  toward  using  electronic  records — a  worthwhile  goal. 

Clearly,  we  must  take  action  to  apply  the  regulation's  protections  to  all  patient 
records.  Congress'  preventing  Secretary  Shalala  from  covering  paper  records  doesn't 
pass  the  laugh  test.  I  believe  the  Secretary  has  the  authority  to  cover  both  paper 
and  electronic  records  and  encourage  her  to  do  so  in  the  final  rule.  Applying  this 
regulation  only  to  electronic  records  will  create  a  disincentive  for  organizations  to 
convert  existing  records  to  electronic  form — ^which  is  contrary  to  Congress'  intent. 

Congress  also  failed  to  allow  the  Secretary  to  include  adequate  enforcement  of  the 
regulation.  The  enforcement  mechanisms  in  this  regulation  are  minimal  at  best.  We 
have  estabhshed  rules  for  the  use  and  disclosure  of  sensitive  health  information 
without  providing  meaningful  repercussions  for  breaking  them.  Compounding  the 
problem  is  the  fact  that  Congress  did  not  provide  a  right-to-sue  provision  in  HIPAA. 

Clearly,  the  only  way  to  ensure  that  all  parties  to  sensitive  health  information  are 
required  to  maintain  privacy  is  through  strong,  comprehensive  legislation.  In  May 
1996,  I  introduced  my  first  medical  privacy  bill.  I  hope  the  Chairman  will  be  willing 
to  work  with  all  members  of  the  committee  in  pursuit  of  a  strong,  comprehensive, 
and  bipartisan  biU. 

If  privacy  is  not  maintained,  the  pubUc  will  lack  confidence  in  our  health  care  sys- 
tem. If  individuals  doubt  their  iniormation  will  be  kept  private,  they  will  either 
delay  treatment  or  be  less  forthcoming  with  their  physicians.  This  self-monitoring 
of  personal  health  information  will  result  in  increased  personal  and  financial  costs. 
We  could  even  see  a  dechne  in  societal  health  stemming  fi'om  the  increase  in  trans- 
mission of  commimicable  diseases. 

Also,  it  is  increasingly  difficult  to  ensure  the  privacy  of  sensitive  health  informa- 
tion. Tremendous  technological  advances  make  it  easier  and  more  efficient  to  trans- 
mit large  quantities  of  data.  Computers  have  revolutionized  the  way  medical  infor- 
mation is  collected,  stored,  and  disseminated.  Without  adequate,  enforceable  con- 
trols, this  information  can  easily  be  used  to  breach  the  privacy  of  patients  and  to 
allow  discrimination  agsiinst  them. 

Americans  are  becoming  increasingly  concerned  about  their  lack  of  privacy.  If  we 
don't  step  in  with  strong  protections,  we  will  seriously  undermine  the  credibility  of 
our  health  care  system. 

One  technological  advance  which  we  need  to  address  is  the  Human  Genome 
Project.  Soon,  we  will  have  a  map  of  the  entire  genetic  makeup  of  the  body.  But 
while  this  scientific  advance  carries  with  it  many  promising  benefits,  it  also  raises 
significant  concerns  about  privacy. 

One  test  can  determine  a  woman's  potential  susceptibility  to  breast  cancer.  But 
some  women,  afiraid  that  they  or  even  their  daughters  will  be  denied  employment 
or  health  insurance  if  they  carry  the  gene,  won't  submit  to  the  test. 

We  must  ensure  that  our  citizens  can  take  advantage  of  medical  breakthroughs 
without  the  worry  that  private  information  may  be  used  against  them. 

Today,  we  will  hear  concerns  about  companies  that  stand  to  make  money  market- 
ing sensitive  medical  information.  But,  medical  records  must  not  be  commodities 
that  are  bought  and  sold. 

We  may  hear  many  claims  that  any  new  legislation  must  not  interfere  with  those 
particular  interests.  But  the  group  we  should  listen  to  most  will  be  hardest  to  hear: 
patients  and  their  families.  Think  about  your  own  family's  medical  records  being 
available  for  anyone  to  look  at.  What  value  can  we  place  on  the  confidentiality  of 
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the  doctor-patient  relationship?  It  is  essential  that  we  protect  the  privacy  of  individ- 
uals, including  their  genetic  privacy.  Good  legislation  can  ensure  that  new  tech- 
nologies are  used,  not  to  deny  health  care  or  to  deny  mediceil  privacy,  but  to  benefit 
all  of  us. 

Mr.  Chairman,  I  would  like  to  enter  the  following  statements  into  the  record: 

1.  Congresswoman  Louise  Slaughter; 

2.  American  Psychiatric  Association; 

3.  American  Psychoanalytic  Association; 

4.  AFSME,  the  American  Federation  of  State,  County  and  Municipal  Employees; 

5.  Consortium  of  Citizens  for  DisabiUties; 

6.  National  Breast  Cancer  CoaHtion;  and 

7.  The  attached  comment  letter  signed  by  a  number  of  Democratic  members  of 
Congress  who  are  leading  health  privacy  advocates. 

Thank  you. 


Chairman  Thomas.  Now  Dr.  Hamburg,  thank  you  very  much  for 
coming  before  us.  Dr.  Hamburg  is  the  assistant  secretary  for  plan- 
ning and  evaluation,  U.S.  Department  of  Health  and  Human  Serv- 
ices. She  is  narrowly  responsible,  but  obviously  the  Secretary  is 
broadly  responsible.  And  as  is  the  case  in  our  offices  many  times, 
we  may  be  the  point  person  but  we  are  not  the  one  that  either  has 
a  broader  command  of  the  particular  area,  and  Dr.  Hamburg  has 
asked  Mr.  Claxton  to  sit  at  the  table.  Since  our  goal  is  to  try  to 
understand  rather  than  play  gotcha,  we  are  more  than  willing  to 
allow  that  to  occur. 

So  Dr.  Hamburg,  your  written  testimony  will  be  made  a  part  of 
the  record  and  you  can  address  us  in  any  way  you  see  fit  in  the 
time  that  you  have  available. 

STATEMENT  OF  HON.  MARGARET  A.  HAMBURG,  M.D.,  ASSIST- 
ANT SECRETARY  FOR  PLANNING  AND  EVALUATION,  U.S.  DE- 
PARTMENT OF  HEALTH  AND  HUMAN  SERVICES;  ACCOM- 
PANIED BY  GARY  CLAXTON,  DEPUTY  ASSISTANT  SECRETARY 
FOR  HEALTH  POLICY 

Dr.  Hamburg.  Thank  you  very  much,  Mr.  Chairman,  and  distin- 
guished members  of  the  subcommittee.  I  appreciate  the  opportimity 
to  appear  before  you  to  discuss  the  need  for  Federal  legislation  to 
safeguard  the  privacy  of  health  information.  As  you  know,  health 
information  privacy  is  the  top  priority  for  the  department  and  the 
Administration  and  we  continue  to  believe  that  legislation  is  the 
only  way  to  achieve  that  goal. 

I  am  joined  by  Mr.  Gary  Claxton,  the  deputy  assistant  secretary 
for  health  policy  in  my  office  who  has  been  deeply  involved  with 
issues  of  health  privacy  and  the  development  of  the  proposed  reg. 

At  the  outset,  I  want  to  commend  the  members  of  the  sub- 
committee for  their  interest  in  health  care  privacy  and  efforts  to 
develop  this  important  and  complex  legislation.  In  addition,  we  are 
encouraged  by  the  recent  appointment  of  two  Congressional  task 
forces  to  address  privacy  issues.  These  efforts  have  the  potential  to 
generate  the  momentum  needed  to  enact  legislation  this  year. 

We  are  here  today  to  emphasize  our  support  for  passage  of  bipar- 
tisan legislation  providing  comprehensive  privacy  protection  to  peo- 
ple's health  care  information.  Stories  abound  that  raise  concern 
that  our  sensitive  medical  information  can  enter  the  wrong  hands 
and  be  misused.  Almost  75  percent  of  our  citizens  say  that  they  are 
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at  least  somewhat  concerned  that  computerized  medical  records 
will  have  a  negative  effect  on  their  privacy. 

Numerous  analyses  by  Grovemment,  industry,  and  professional 
groups  have  identified  serious  gaps  in  protections  for  health  infor- 
mation and  have  recommended  Federal  legislation  to  close  them. 
And  of  course,  we  have  already  heard  your  personal  stories  about 
this  concern.  If  we  do  not  act  now,  public  distress  could  deepen  and 
ultimately  stop  citizens  from  disclosing  important  information  to 
their  doctors  or  getting  needed  treatment. 

In  September  of  1997,  Secretary  Shalala  presented  her  rec- 
ommendations for  protecting  the  confidentiality  of  individually 
identifiable  health  information.  In  that  report  the  Secretary  con- 
cluded that  Federal  legislation  establishing  a  national  floor  of  con- 
fidentiality is  necessary  to  provide  rights  for  patients  and  define  re- 
sponsibilities of  recordkeepers.  She  recommended  that  Federal  leg- 
islation focus  on  health  care  payers  and  providers  and  the  people 
who  receive  health  information  from  them. 

The  Secretary  legislation  to  implement  five  key  principles.  First, 
information  about  a  consumer  that  is  obtained  for  delivering  and 
paying  for  health  care  should,  with  very  few  exceptions,  be  used 
and  disclosed  for  health  purposes  and  health  purposes  only. 

Second,  those  who  legally  receive  health  information  should  be 
required  to  take  reasonable  steps  to  safeguard  it. 

Third,  consumers  should  have  access  to  their  health  records, 
should  know  how  their  health  information  is  being  used,  and  who 
has  looked  at  it,  and  should  be  given  clear  explanations  of  these 
rights. 

Fourth,  people  who  violate  the  confidentiality  of  our  personal 
health  information  should  be  accountable. 

These  first  four  principles  must  be  balanced  against  the  fifth 
principle,  public  responsibility.  Just  like  our  free  speech  rights,  pri- 
vacy rights  cannot  be  absolute.  We  must  balance  our  protections  of 
privacy  with  our  public  responsibility  to  support  other  critical  na- 
tional goals:  public  health,  research,  quality  care,  and  our  fight 
against  health  care  fraud  and  abuse. 

To  prepare  the  proposed  privacy  regulation  we  assembled  a  team 
from  all  the  relevant  Federal  agencies.  We  published  the  proposed 
rule  on  November  3rd,  1999  and  the  period  for  public  comment,  as 
you  noted,  closes  today.  We  explained  the  basis  for  our  proposals 
in  detail  in  the  preamble  to  the  proposed  rule,  but  also  asked  for 
comment  on  over  150  specific  issues.  We  will  review  all  the  com- 
ments we  receive  and  we  will  make  whatever  changes  are  appro- 
priate. 

We  are  committed  to  achieving  the  proper  balance  between  en- 
suring patient  privacy  and  the  needs  of  the  health  care  system  to 
function  properly  and  to  continue  advances  in  health  protection 
and  medical  treatment.  Our  commitment  to  getting  it  right  led  us 
to  extend  the  comment  period  from  January  3rd  to  February  17th 
so  the  public  and  stakeholders  would  have  adequate  time  to  con- 
sider the  proposed  rule. 

Since  we  have  just  begun  to  review  the  comments  I  will  not  be 
able  to  speculate  on  or  debate  the  contents  of  the  final  rule  today. 
But  I  can  tell  you  that  as  of  yesterday  we  had  received  about 
40,000  comments  by  mail  or  hand-delivery  and  roughly  another 
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10,000  on  our  web  site.  Further,  we  have  met  with  dozens  of  indi- 
viduals and  groups  to  hear  more  about  their  concerns  and  clarify 
provision  of  the  proposed  rule. 

While  we  are  moving  ahead  to  prepare  the  final  regulation  let  me 
give  you  a  few  reasons  why  we  continue  to  call  for  legislation. 
First,  the  HIPAA  limits  the  appUcation  of  our  proposed  rule  to 
three  entities,  health  plans,  clearinghouses,  and  certain  providers. 
But  it  does  not  provide  authority  for  the  rule  to  reach  many  people 
who  receive  health  information  from  these  entities.  In  short,  in  the 
rule  we  cannot  put  in  place  appropriate  restrictions  on  how  such 
recipients  of  protected  health  information  may  use  and  redisclose 
that  information. 

Second,  we  are  concerned  that  the  enforcement  provisions  in  the 
HIPAA  are  not  adequate.  The  penalty  structure  is  not  commensu- 
rate with  the  importamce  of  privacy  in  our  lives,  and  there  is  no 
statutory  authority  for  a  private  right  of  action  for  individuals  to 
enforce  their  privacy  rights. 

There  are  additional  reasons  we  continue  to  call  for  legislation. 
For  example,  under  the  HIPAA  only  those  providers  engaged  in 
electronic  transactions  can  be  covered.  Any  provider  who  maintains 
a  solely  paper  information  system  cannot  be  subject  to  these  pri- 
vacy stauidards. 

Mr.  Chairman,  the  principles  embodied  in  our  recommendations 
and  proposed  regulation  should  guide  a  comprehensive  law  that 
will  create  substantive  Federal  standards  and  provide  our  citizens 
with  real  peace  of  mind.  The  principles  represent  a  practical,  com- 
prehensive and  balanced  strategy  to  protect  health  care  informa- 
tion that  is  collected,  shared,  and  used  in  an  increasingly  complex 
world. 

Thank  you  again  for  giving  me  this  opportunity  to  testify  and  I 
look  forward  to  answering  any  questions  that  you  may  have  and 
working  closely  with  you  as  you  move  forward  on  this  important 
agenda. 

[The  prepared  statement  follows:] 

Statement  of  Hon.  Margaret  A.  Hamburg,  M.D.,  Assistant  Secretary  for 
Planning  and  Evaluation,  U.S.  Department  of  Health  and  Human  Services 

Mr.  Chairman,  CongressmEiii  Stark,  distinguished  members  of  the  Committee:  I 
appreciate  the  opportunity  to  appear  before  you  to  discuss  the  need  for  federal  legis- 
lation to  ensure  comprehensive  privacy  safeguards  for  health  information.  This  issue 
is  a  top  priority  for  the  Department  and  the  Administration,  and  although  the  regu- 
lation that  we  recently  proposed  serves  as  a  foundation  for  providing  strong  privacy 
protections  for  consimiers'  health  information,  we  continue  to  beUeve  that  legislation 
is  ultimately  necessary  if  we  are  to  appropriately  protect  the  privacy  of  the  health 
information  of  all  Americans. 

As  the  outset,  I  want  to  commend  the  members  of  this  Subcommittee  Mr.  Thomas, 
Mr.  Stark,  and  Mr.  McDermott,  as  well  as  Mr.  Cardin,  for  their  interest  in  health 
care  privacy  and  efforts  to  develop  this  important  and  complex  legislation.  In  addi- 
tion, we  are  encouraged  by  the  recent  appointment  of  two  congressional  task  forces 
to  address  privacy  issues.  The  "Congressional  Privacy  Caucus"  has  the  potential  to 
generate  the  momentum  needed  to  enact  legislation  this  year. 

As  you  may  remember.  Secretary  Shalala  first  presented  her  recommendations, 
required  by  the  Congress  under  Section  264  of  the  Heath  Insurance  Portabihty  and 
Accountabihty  Act  (HIPAA),  in  September  1997. i  I  think  it  is  fair  to  say  that  the 


1  Confidentiality  of  Individually-Identifiable  Health  Information,  Recommendations  of  the  Sec- 
retary of  Health  and  Hiiman  Services,  pursuant  to  section  264  of  the  Health  Insurance  Port- 
Continued 
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recommendations  were  well  received  and  have  been  used  to  assist  others  in  crafting 
their  own  legislative  proposals. 

HIPAA  also  requires  that  if  legislation  establishing  comprehensive  privacy  protec- 
tion was  not  enacted  by  August  of  last  year,  HHS  must  prepare  final  regulations. 
We  assembled  an  interagency  team  to  assist  us  in  preparing  the  proposed  regula- 
tion, including  representatives  fi-om  the  Departments  of  Labor,  Defense,  Justice, 
Commerce,  the  Social  Security  Administration,  the  Office  of  Personnel  Management, 
the  Department  of  Veterans  Affairs,  and  the  Office  of  Management  and  Budget.  We 
published  the  proposed  rule  on  November  3  of  1999;  the  period  for  pubUc  comment 
closes  today,  February  17,  2000,  and  we  will  call  upon  a  similarly  broad  team  to 
review  and  respond  to  the  public  comments. 

We  explained  the  basis  for  our  proposals  in  detail  in  the  preamble  to  the  proposed 
rule  and  asked  for  comments  on  over  150  specific  issues.  We  are  committed  to  re- 
viewing all  the  public  comments.  Nothing  in  our  proposed  rule  is  set  in  stone.  We 
are  committed  to  achieving  the  proper  balance  between  ensuring  patient  privacy 
and  the  needs  of  the  health  care  system  to  function  properly  and  continue  advances 
in  medical  treatment.  Our  commitment  to  'getting  it  right'  led  us  to  extend  the  com- 
ment period  fi'o  January  3  to  February  17,  so  the  public  and  stakeholders  would 
have  adequate  time  to  consider  the  proposed  rule,  comment,  and  suggest  alternative 
proposals. 

Since  we  have  just  begun  to  review  the  comments,  I  will  not  speculate  on  or  de- 
bate the  contents  of  the  final  rule  today.  I  can  tell  you  that,  as  of  yesterday,  we 
had  received  over  30,000  comments  by  mail  or  hand  dehvery,  and  another  10,000 
on  our  web  site.  Further,  we  met  with  dozens  of  individuals  and  organizations  to 
hear  more  about  their  concerns  and  clarify  provision  of  the  proposed  rule. 

While  we  are  moving  ahead  to  prepare  the  final  regulation,  the  President  and  Sec- 
retary Shalala  have  made  it  very  clear  that  their  first  priority  is  to  see  Congress 
enact  a  health  information  privacy  bill  that  builds  upon  the  progress  made  by  our 
proposed  regulation  and  ensures  comprehensive  privacy  protections.  We  beheve  our 
rule  will  be  a  very  good  start  in  providing  confidentiality  protections,  but  legislation 
is  needed  to  complete  this  important  task  and  provide  the  protections  envisioned  in 
the  Secretar/s  recommendations.  Our  staff  have  been  working  closely  with  many 
of  your  staff,  and  staff  in  the  Senate,  to  assist  you  in  achieving  that  goal.  Again, 
let  me  reiterate,  we  want  to  see  legislation,  and  we  want  to  work  with  you  to  make 
that  happen. 

The  issue  of  health  information  privacy  is  quite  complex — in  order  to  resolve  it 
legislatively,  some  difficult  choices  will  have  to  be  made.  We  believe  that  our  rec- 
ommendations strike  the  appropriate  balance  between  the  privacy  needs  of  our  citi- 
zens and  the  critical  needs  of  our  health  care  system  and  our  nation.  This  is  an 
issue  that  touches  every  single  American,  and  to  reach  resolution  we  will  need  a 
bipartisan  effort. 

THE  NEED  FOR  LEGISLATION 

It  has  been  over  25  years  since  a  public  advisory  committee  appointed  by  former 
HEW  Secretary  Elliot  Richardson  set  forth  principles  of  fair  information  practices 
that  led  to  the  landmark  Federal  Privacy  Act.  The  Privacy  Act  is  premised  on  the 
idea  that  individuals  have  a  right  to  know  what  personal  information  the  govern- 
ment holds  about  them,  how  that  information  will  be  used,  and  the  right  to  review 
that  information.  Those  25  years  have  brought  vast  changes  in  our  health  care  sys- 
tem. 

Changes  in  our  health  care  delivery  system  mean  that  we  must  place  our  trust 
in  entire  networks  of  insurers  and  health  care  professionals — ^both  public  and  pri- 
vate. The  computer  and  telecommimications  revolutions  mean  that  information  no 
longer  exists  in  one  place — it  can  travel  in  real  time  to  many  hospitals,  physicians, 
insurers,  and  across  state  Unes. 

In  addition,  new  discoveries  in  biology  mean  that  a  whole  new  world  of  medical 
tests  have  the  potential  to  help  prevent  disease.  However,  they  also  reveal  the  most 
personal  health  information  about  an  individual  and  liis  or  her  family.  Without  safe- 
guards to  assure  citizens  that  getting  tested  will  not  endanger  their  families'  privacy 
or  health  insurance,  we  could  endanger  one  of  the  most  promising  areas  of  research 
our  nation  has  ever  seen. 

Health  care  privacy  can  be  safeguarded.  It  must  be  done  with  national  legislation, 
national  education,  and  an  on-going  national  conversation. 

Currently,  when  we  give  a  physician  or  health  insurance  company  precious  health 
information,  the  level  of  protection  will  vary  widely  fi'om  state  to  state.  We  have 


ability  and  Accoiintability  Act  of  1996"  can  be  found  on  the  HHS  web  site  at:  http^/ 
aspe.os.dhhs.gov/admnsimp. 
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no  comprehensive  federal  health  information  privacy  standards.  Because  the  prac- 
tice of  nealth  care  is  increasingly  becoming  interstate  through  mergers,  complex 
contractual  relationships  and  enhanced  telecommunications,  we  can  no  longer  rely 
on  the  existing  patchwork  of  state  laws.  The  patchwork  does  not  provide  Americans 
the  privacy  protections  they  need  or  expect.  The  Congress  should  seize  upon  this 
opportunity  to  create  strong  federal  standards  and  reassure  the  pubhc  that  they  can 
trust  their  health  care  providers  and  insurers  to  keep  their  health  information  se- 
cure. 

In  developing  our  recommendations  for  federal  legislation,  we  learned  a  great  deal 
through  consultations  with  a  variety  of  outside  groups  and  from  six  days  of  public 
hearings  conducted  by  the  National  Conunittee  on  Vital  and  Health  Statistics,  our 
statutory  federal  advisory  committee  for  health  data  and  privacy  poUcy.  The  hear- 
ings involved  over  40  witnesses  from  across  the  health  community,  including  health 
C£ire  professionals,  plans,  insurance  companies,  the  privacy  community,  and  the  pub- 
hc health  and  research  communities. 

We  believe  our  recommendations  provide  a  balanced  framework  for  legislation 
that  can  protect  the  privacy  of  medical  records,  guarantee  consumers  the  right  to 
inspect  their  records,  and  punish  unauthorized  disclosures  of  personal  health  data 
by  nospitals,  insurers,  health  plans,  drug  companies  or  others. 

THE  PRINCIPLES 

The  Secretary's  recommendations  for  legislation,  and  our  proposed  regulation,  are 
grounded  in  five  key  principles:  Boundaries,  Security,  Consumer  Control,  Account- 
ability, and  Pubhc  Responsibihty. 

Boundaries 

The  first  is  the  principle  of  Boundaries:  With  very  few  exceptions,  personally  iden- 
tifiable health  Oxre  information  should  be  disclosed  for  health  purposes  and  health 
purposes  only.  It  should  be  easy  to  use  it  for  those  purposes,  and  very  difficult  to 
use  it  for  other  purposes. 

For  example,  employers  should  be  able  to  use  the  information  furnished  by  their 
employees  to  provide  on-site  care  or  to  administer  a  health  plan  in  the  best  interests 
of  tnose  employees.  But  those  same  employers  should  not  be  able  to  use  information 
obtained  for  health  care  purposes  to  discriminate  against  individuals  when  making 
employment  decisions — such  as  hiring,  firing,  training,  placements  and  promotions. 
To  enforce  these  boundaries,  we  recommend  strong  penalties  for  the  inappropriate 
use  or  disclosure  of  medical  records. 

We  recommend  that  the  legislation  apply  specifically  to  providers  and  payers,  and 
to  anyone  who  receives  health  information  from  a  provider  or  payer,  either  with  the 
authorization  of  the  patient  or  as  authorized  exphcitly  by  legislation.  To  the  extent 
allowed  under  the  HIPAA  statute,  we  have  taken  this  approach  in  our  proposed  reg- 
ulation. Our  proposed  rule  would  authorize  the  use  and  disclosure  of  personal  infor- 
mation by  heath  plans  and  providers  without  the  person's  consent  for  specified 
health  care  and  national  priority  purposes,  and  would  require  fair  and  informed  con- 
sent from  individuals  for  all  other  uses.  However,  as  discussed  below,  the  statute 
limits  our  authority  to  ensure  that  information  that  leaves  a  health  plan  or  provider 
remains  protected. 

Our  recommendations  also  recognize  that  these  providers  and  payers  do  not  act 
alone.  In  order  for  a  provider  or  payer  to  operate  efficiently,  it  may  need  to  enlist 
a  service  organization  to  perform  an  administrative  or  operational  fimction.  For  ex- 
ample, a  hospital  may  hire  an  organization  to  encode  and  process  bills,  or  a  man- 
aged care  organization  may  contract  with  a  pharmaceutical  benefit  management 
company  to  provide  information  to  pharmacists  about  what  medications  are  covered 
and  appropriate  for  their  customers. 

The  numbers  and  types  of  service  organizations  are  increasing  every  day.  While 
most  do  not  have  direct  relationships  with  the  patients,  they  do  have  access  to  their 
ersonal  health  care  information.  Therefore,  we  recommend  that  they  should  be 
ound  by  the  same  standards.  For  example,  a  health  plan's  contractor  should  be  al- 
lowed to  have  access  to  patient  Usts  in  order  to  do  mailings  to  remind  patients  to 
schedule  appointments  for  preventive  care.  But  it  should  not  be  able  to  sell  the  pa- 
tient lists  to  a  pharmaceutical  company  for  a  direct  mailing  announcing  a  new  prod- 
uct (without  the  person's  consent).  With  the  Business  Partner  provisions  of  our  pro- 
posed Privacy  Standards,  we  have  taken  this  approach  to  the  extent  allowed  imder 
the  HIPAA  statute. 

Security 

The  second  principle  is  Seciirity.  Americans  need  to  feel  secure  that  when  they 
give  out  personal  health  care  information,  they  are  leaving  it  in  good  hands.  Infor- 
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mation  should  not  be  used  or  given  out  unless  either  the  patient  authorizes  it  or 
there  is  a  clear  legal  basis  for  doing  so. 

There  are  many  different  ways  that  private  information  like  your  blood  tests  could 
become  public.  People  who  are  allowed  to  see  it — such  as  lab  technicians — can  mis- 
use it  either  carelessly  or  intentionally.  And  people  who  should  not  be  seeing  it — 
such  as  marketers  or  even  hackers — can  find  a  way  to  access  it,  either  because  the 
organization  holding  the  information  doesn't  have  proper  safeguards  or  the  market- 
ers can  find  an  easy  way  around  the  s£ifeguards.  To  give  Americans  the  security 
they  expect  and  deserve,  Congress  should  develop  legislation  that  requires  those 
who  legally  receive  health  information  to  take  reasonable  steps  to  safeguard  it  or 
face  consequences  for  fgdlure  to  do  so. 

What  do  we  mean  by  reasonable  steps?  The  organizations  should  be  required  to 
have  in  place  protective  administrative  and  management  techniques,  educate  their 
employees  about  these  procedures,  and  impose  disciplinary  sanctions  against  em- 
ployees who  use  information  improperly  or  carelessly. 

We  addressed  some  of  these  steps  in  our  Security  Standards  regulation,  imple- 
menting the  Administrative  Simplification  mandate  under  HIPAA.2  That  NPRM 
laid  out  a  range  of  approaches  for  safeguarding  the  information  to  which  the  HIPAA 
mandate  applies.  In  the  privacy  NPRM  we  proposed  related  steps  for  safeguarding 
health  information,  and  we  will  coordinate  these  requirements  in  the  final  Security 
and  Privacy  regulations.  However,  these  regulations  will  not  reach  all  health  infor- 
mation held  by  health  plans  and  providers.  We  need  legislation  to  cover  all  health 
information  that  needs  this  kind  of  protection. 

We  don't  believe  a  law  can  specify  the  details  of  these  protections  because  each 
organization  must  keep  pace  with  the  new  threats  to  our  privacy  and  the  technology 
that  can  either  abate  or  exacerbate  them.  But  a  federal  law  can  require  everyone 
who  holds  health  information  to  have  these  types  of  safeguards  in  place  and  specify 
the  appropriate  sanctions  if  the  information  is  improperly  disclosed.  In  our  regula- 
tions, we  have  proposed  such  a  "scalable"  approach,  to  reflect  the  differences  in  the 
size  and  nature  of  the  entities  that  hold  health  information.  The  proposed  regula- 
tions set  forth  the  basic  principles  and  general  criteria  for  securing  health  informa- 
tion, and  leave  the  specific  steps  for  meeting  these  principles  to  each  regulated  en- 
tity. In  this  way,  each  entity  can  take  the  steps  most  appropriate  to  its  size,  the 
nature  of  the  information  it  holds,  and  its  business  practices. 

Consumer  Control 

The  third  principle  is  Consiomer  Control.  The  principles  of  fair  information  prac- 
tice (formulated  in  1973  by  a  committee  appointed  by  Secretary  Richardson)  in- 
cluded as  a  basic  right:  "There  must  be  a  way  for  an  individual  to  find  out  what 
information  about  him  is  in  a  record  and  how  it  is  used." 

With  very  narrow  exceptions,  consumers  should  have  the  right  to  find  out  what 
is  contained  in  their  records,  find  out  who  has  looked  at  them,  and  to  inspect,  copy 
and,  if  necessary,  correct  them.  Consumers  should  be  given  a  clear  explanation  of 
these  rights  and  they  should  understand  how  organizations  will  use  their  informa- 
tion. Let  me  give  you  an  example  of  why  this  is  important.  According  to  the  Privacy 
Rights  Clearinghouse,  a  California  physician  in  private  practice  was  having  trouble 
getting  health,  disability,  and  life  insurance.  She  ordered  a  copy  of  her  report  from 
the  Medical  Information  Bureau — an  information  service  used  by  many  insurance 
companies.  It  included  information  showing  that  she  had  a  heart  condition  and  Alz- 
heimer's disease.  There  was  only  one  problem.  None  of  it  was  true.  Unfortunately, 
under  the  current  system  these  types  of  errors  occur  all  too  often.  Consumers  often 
do  not  have  access  to  their  own  health  records  and  even  those  who  do  are  not  al- 
ways able  to  correct  some  of  the  most  egregious  errors. 

With  that  in  mind,  our  Recommendations  set  forth  a  set  of  practices  and  proce- 
dures that  would  require  that  insurers  and  health  care  providers  provide  consumers 
with  a  written  explanation  of  who  has  access  to  their  information  and  how  that  in- 
formation will  be  used,  how  they  can  restrict  or  limit  access  to  it,  and  what  their 
rights  are  if  their  information  is  disclosed  improperly. 

We  also  recommend  procedures  for  patients  to  inspect  and  copy  their  information, 
and  set  out  the  very  Umited  circimistances  under  which  patient  inspection  should 
be  properly  denied. 

Finally,  we  recommend  a  process  for  patients  to  seek  corrections  or  amendments 
to  their  health  information  to  resolve  situations  in  which  innocent  coding  errors 
cause  patients  to  be  charged  for  procedures  they  never  received,  or  to  be  on  record 


2  The  notice  of  proposed  rule  making  for  Security  and  Electronic  Signature  Standards,  cover- 
ing security  safeguards  for  electronic  information,  was  published  on  August  12,  1998. 
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as  having  conditions  or  medical  histories  that  are  inaccurate.  The  proposed  privacy 
standards  follow  these  Recommendations. 

Accountability 

The  fourth  principle  is  Accountability.  If  you  are  using  information  improperly, 
you  should  be  pimished.  This  flows  directly  from  the  second  principle  of  security — 
the  requirement  to  safeguard  information  must  be  followed  by  real  and  severe  pen- 
alties for  violations.  Congress  should  send  the  message  that  protecting  the  confiden- 
tiaUty  of  health  information  is  vitally  important,  and  that  people  who  violate  that 
confidence  will  be  held  accountable. 

We  recommend  that  offenders  should  be  subject  to  criminal  felony  penalties  if 
they  knowingly  obtain  or  use  health  care  information  in  violation  of  the  standards 
outlined  in  our  report.  The  penalties  mandated  in  privacy  legislation  should  be  high- 
er when  violations  are  for  monetary  gain.  In  addition,  when  there  is  a  demonstrated 
pattern  or  practice  of  unauthorized  disclosure,  those  committing  it  should  be  subject 
to  civil  monetary  penalties. 

In  addition  to  pimishing  the  perpetrators,  we  must  give  redress  to  the  victims. 
We  beheve  that  any  individual  whose  privacy  rights  have  been  violated  should  be 
permitted  to  bring  a  legal  action  for  actual  damages  and  equitable  rehef.  The  stand- 
ard for  such  actions  should  not  be  set  so  high  as  to  make  the  right  meaningless  in 
practice.  Attorney's  fees  and  punitive  damages  should  be  available  when  the  viola- 
tion is  particularly  egregious.  As  described  more  fully  below,  the  HIPAA  legislative 
authority  does  not  allow  the  regulation  to  accompUsh  these  goals. 

These  first  four  principles — Boundaries,  Security,  Consumer  Control  and  Account- 
abihty — must  be  carefully  weighed  against  the  fift;h  principle,  Public  Responsibility. 

Public  Responsibility 

Just  like  our  fi'ee  speech  rights,  privacy  rights  can  never  be  absolute.  We  have 
other  critical — ^yet  often  competing — interests  and  goals.  We  must  balance  our  pro- 
tections of  privacy  with  our  pubhc  responsibihty  to  support  national  priorities — pub- 
Uc  health  and  safety,  research,  quality  care,  and  our  fight  against  health  care  fraud 
and  abuse  and  other  unlawful  activities. 

Our  Department  is  acutely  aware  of  the  need  to  use  personal  health  information 
for  each  of  these  national  priorities.  For  example,  researchers  have  used  health 
records  to  help  us  fight  childhood  leukemia  and  uncover  the  link  between  DES  and 
reproductive  cancers.  Public  health  agencies  use  health  records  to  warn  us  of  out- 
breaks of  emerging  infectious  diseases.  HHS  auditors  use  health  records  to  uncover 
kickbacks,  overpayments  and  other  fraudulent  activity.  In  addition,  our  efforts  to 
improve  quality  in  our  health  care  system  depend  on  our  ability  to  review  health 
information  to  determine  how  well  health  institutions  and  health  professionals  are 
caring  for  patients. 

For  public  health  and  safety,  research,  quahty  evaluations,  fi'aud  investigations, 
and  legitimate  law  enforcement  purposes,  it's  not  always  possible,  or  desirable,  to 
ask  for  each  patient's  authorization  for  access  to  the  necessary  health  information. 
And,  in  many  cases,  doing  so  could  create  major  obstacles  in  our  efforts.  While  we 
must  be  able  to  use  identifiable  information  when  necessary  for  these  purposes,  we 
should  use  information  that  is  not  identifiable  as  much  as  possible. 

To  demonstrate  how  access  must  be  balanced  against  public  responsibility,  let  me 
outUne  a  few  of  the  areas  in  which  we  recommend  that  disclosure  of  health  informa- 
tion should  be  permitted  without  patient  authorization. 

Public  Health  and  Safety 

Under  certain  circumstances,  we  recommend  permitting  health  care  professionals, 
payers,  and  those  receiving  information  fi'om  them  to  disclose  health  information 
without  patient  authorization  to  public  health  authorities  for  disease  reporting,  ad- 
verse event  reporting,  public  health  and  safety  investigation,  or  intervention.  This 
is  currently  how  the  pubhc  health  system  operates  under  existing  State  and  federal 
laws. 

For  example,  consider  the  outbreak  of  E.  coli  in  hamburger  that  resulted  in  the 
largest  recall  of  meat  products  in  history.  Pubhc  health  authorities,  working  with 
other  officials,  used  personally  identifiable  information  to  identify  quickly  the  source 
of  the  outbreak  and  thereby  prevent  thousands  of  other  Americans  fi*om  being  ex- 
posed to  a  contaminated  product. 

Research 

An  important  mission  for  the  Department  of  Health  and  Human  Services  is  to 
fund  and  conduct  health  research.  We  understand  that  research  is  vitally  important 
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to  our  health  care  and  to  progress  in  medical  care.  Legislation  should  not  impede 
this  activity. 

Today  the  Federal  Policy  for  Protection  of  Human  Subjects  (the  Common  Rule) 
and  FDA's  Human  Subject  Protection  Regulations  protect  participants  in  research 
studies  that  are  funded  or  regulated  by  the  federal  government.  These  rules  help 
protect  the  research  subjects  while  not  impeding  the  conduct  of  research.  To  protect 
patient  privacy,  we  recommend  that  similar  protections  should  be  extended  to  all 
research  in  which  individually  identifiable  health  information  is  disclosed  without 
patient  authorization,  and  not  just  federally  funded  or  regulated  research. 

Researchers  should  determine  whether  their  research  requires  the  retention  of 

Personal  identifiers.  There  are  research  studies  that  can  only  be  conducted  if  identi- 
ers  are  retained;  for  example,  outcomes  studies  for  heart  attack  victims  or  the  re- 
cent study  which  identified  a  correlation  between  the  incidence  of  Sudden  Infant 
Death  SjTidrome  and  the  infant's  sleep  position.  In  addition,  if,  and  when,  personal 
identifiers  are  no  longer  needed,  the  researcher  should  be  required  to  remove  them 
and  provide  assurances  that  the  information  will  be  protected  fi^om  improper  use 
and  unauthorized  additional  disclosures. 

Under  the  Common  Rule,  if  personal  identifiers  are  necessary,  an  IRB  (Institu- 
tional Review  Board)  must  review  the  research  proposal  and  determine  whether  in- 
formed consent  is  required  or  may  be  waived.  In  order  for  informed  consent  to  be 
waived,  an  IRB  must  determine  that  the  research  involves  no  more  than  minimal 
risk  to  participants,  that  the  absence  of  informed  consent  will  not  adversely  affect 
the  rights  and  welfare  of  participants,  that  conducting  the  research  would  be  im- 
practicable if  consent  were  required,  and  that  whenever  appropriate,  the  partici- 
pants will  be  provided  with  additional  pertinent  information  after  p£irticipation. 
This  kind  of  IRB,  privacy  board,  or  a  similar  mechanism  of  review  should  be  appli- 
cable for  all  research  using  individually  identifiable  health  information  without  a 
patient  authorization,  regardless  of  funding  source. 

Because  the  Common  Rule  was  designed  for  protection  of  human  subjects  in  gen- 
eral, not  specifically  with  privacy  protection  in  mind,  our  Recommendations  included 
additional  criteria  for  release  of  information  without  the  subject's  consent.  We  in- 
cluded those  criteria  in  our  proposed  rule.  We  believe  that,  before  an  IRB  or  privacy 
board  can  approve  disclosure  of  health  information  without  the  subject's  consent,  it 
should  determine  that:  the  research  would  be  impracticable  to  conduct  without  the 
identifiable  health  information;  the  research  project  is  of  sufficient  importance  to 
outweigh  the  privacy  intrusion  that  would  result  from  the  disclosure;  there  is  an 
adequate  plan  to  protect  the  identifiers  from  improper  use  and  disclosure;  and  there 
is  an  adequate  plan  to  destroy  the  identifiers  at  the  earliest  opportunity,  unless 
there  is  a  health  or  research  justification  for  retaining  identifiers.  We  have  included 
these  additional  criteria  in  the  proposed  privacy  regulation. 

PREEMPTION 

Our  recommendations  call  for  national  standards.  But,  we  do  not  recommend  out- 
right or  overall  federal  preemption  of  existing  State  laws  that  are  more  protective 
of  health  information. 

Some  protections  that  we  recommend  will  be  stronger  than  some  existing  State 
laws.  Therefore,  we  recommend  that  Federal  legislation  replace  State  law  only  when 
the  State  law  is  less  protective  than  the  Federal  law.  Thus,  the  confidentiality  pro- 
tections provided  would  be  cumulative  and  the  Federal  legislation  would  provide 
every  American  with  a  basic  set  of  rights  with  respect  to  health  information. 

This  is  consistent  with  the  broader  approach  taken  to  preemption  in  the  HIPAA 
statute,  both  in  the  insurance  reform  provisions  and  the  administrative  simplifica- 
tion and  privacy  provisions.  For  the  most  part.  State  laws  that  go  further  than  the 
federal  law  are  preserved.  We  recognize  that  there  are  some  concerns  with  this  ap- 
proach. In  fact,  some  of  these  concerns  are  recognized  in  the  privacy  provisions  of 
the  HIPAA  statute,  which  create  carve  outs  from  preemptions  for  state  laws  govern- 
ing certain  public  health  functions  as  well  as  other  specific  activities  such  as  ft-aud 
and  abuse.  At  the  same  time,  we  believe  that,  if  a  federal  law  is  sufficiently  strong, 
states  will  not  need  to  enact  additional  privacy  legislation. 

HHS  PROPOSED  PRIVACY  STANDARDS 
Process  and  Status 

To  assist  us  in  developing  the  proposed  rule,  we  assembled  an  interagency  team 
including  representatives  from  all  parts  of  HHS,  as  well  as  the  Departments  of 
Labor,  Defense,  Commerce,  and  Justice,  the  Social  Security  Administration,  the  De- 
partment of  Veterans  Affairs,  the  Office  of  Personnel  Management,  and  the  Office 
of  Management  and  Budget.  We  published  the  proposed  rule  on  November  3  of 
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1999;  the  period  for  public  comment  closes,  today,  February  17,  2000  and  we  will 
call  upon  the  same  broad  team  to  review  and  respond  to  the  public  comments. 

We  have  also  continued  the  consultations  with  outside  groups  that  we  began  in 
preparing  the  Recommendations.  Since  the  proposed  rule  was  published,  we  have 
meet  with  over  ,  and  many  of  these  were  coalitions  representing  still  more  inter- 
ested parties.  We  have  learned  a  great  deal  from  these  consultations,  and  will  con- 
tinue fact-finding  outreach  as  necessary  based  on  our  review  of  the  public  com- 
ments. 

As  of  February  15,  we  had  received  over  30,000  comments  by  mail  or  hand  dehv- 
ered,  and  roughly  10,000  electronically  via  the  web.  Once  we  have  logged  in  all  the 
comments,  we  will  make  them  available  to  the  pubUc  on  our  web  site.  Although  we 
have  not  set  a  target  date  for  the  final  rule,  largely  because  we  do  not  know  how 
many  comments  we  will  receive,  we  intend  to  continue  to  make  this  regulation  a 
top  priority  and  publish  a  final  rule  as  soon  as  possible,  consistent  with  our  respon- 
sibility to  take  the  pubHc  comments  into  account. 

The  proposed  rule  is  based  on  the  five  key  principles  outhned  above,  from  the  Sec- 
retary's recommendations:  Boundaries,  Security,  Consumer  Control,  AccountabHity, 
and  PubHc  Responsibihty.  To  the  extent  possible  under  the  HIPAA  statutory  author- 
ity, it  implements  these  principles  as  discussed  in  detail  in  the  Recommendations. 

Because  the  proposed  rule  is  widely  available,  we  will  not  repeat  it  here.  Rather, 
we  will  highhght  a  few  areas  in  which  we  are  unable  to  implement  our  Rec- 
ommendation in  full  due  to  hmitations  in  the  Statutory  authority  provided  under 
the  HIPAA.  A  summary  of  the  proposed  rule  is  attached,  and  is  available  at  our 
web  site. 

WHY  THE  REGULATION  DOES  NOT  PROVIDE  COMPLETE  PROTECTION 

Coverage 

The  Recommendations  caU  for  legislation  that  apphes  to  health  care  providers  and 
payers  who  obtain  identifiable  health  information  from  individuals  and,  signifi- 
cantly, to  those  who  receive  such  information  from  providers  and  payers.  The  Rec- 
ommendations follow  health  information  from  initial  creation  by  a  health  plan  or 
health  care  provider,  through  various  uses  and  disclosures,  and  would  estabhsh  pro- 
tections at  each  step:  "We  recommend  that  everyone  in  this  chmn  of  information 
handling  be  covered  by  the  same  rules." 

However,  the  HIPAA  limits  the  appUcation  of  our  proposed  rule  to  health  plans, 
health  care  clearinghouses,  and  to  any  health  care  provider  who  transmits  health 
information  in  electronic  form  in  connection  with  transactions  referred  to  in  section 
1173(a)(1)  of  the  Act  (the  "covered  entities").  Unfortunately,  this  leaves  many  enti- 
ties that  receive,  use  and  disclose  protected  health  information  outside  of  the  system 
of  protection  that  we  propose  to  create. 

In  particular,  the  statute  does  not  directly  cover  many  of  the  persons  who  obtain 
identifiable  health  information  from  the  covered  entities.  In  the  rule  we  are,  there- 
fore, faced  with  creating  new  regulatory  permissions  for  covered  entities  to  disclose 
health  information,  but  cannot  directly  put  in  place  appropriate  restrictions  on  how 
many  of  the  Hkely  recipients  of  such  information  may  use  and  re-disclose  such  infor- 
mation. For  example,  the  Secretary's  Recommendations  proposed  that  protected 
health  information  obtained  by  researchers  not  be  further  disclosed  except  for  emer- 
gency circumstances,  for  a  research  project  that  meets  certain  conditions,  and  for 
oversight  of  research.  In  the  rule,  however,  we  cannot  impose  such  restrictions  di- 
rectly on  researchers;  instead,  we  propose  that  plans  and  providers  obtain  proof  of 
IRB  or  privacy  board  approval  of  the  research  protocol.  Additional  examples  of  per- 
sons who  receive  health  information  but  whom  we  cannot  reach  with  the  regulation 
include  employers,  workers  compensation  and  Hfe  insurance  issuers,  and  law  en- 
forcement officers.  We  also  do  not  have  the  authority  to  directly  regulate  many  of 
the  persons  that  covered  entities  hire  to  perform  administrative,  legal,  accounting, 
and  similar  services  on  their  behalf,  and  who  would  obtain  health  information  in 
order  to  perform  their  duties.  This  inabiUty  to  directly  address  the  information  prac- 
tices of  these  groups  leaves  an  important  gap  in  the  protections  provided  by  the  pro- 
posed rule. 

In  addition,  only  those  providers  who  engage  in  the  electronic  administrative  sim- 
plification transactions  can  be  covered  by  this  rule.  Any  provider  who  maintains  a 
solely  paper  information  system  would  not  be  subject  to  these  privacy  standards, 
thus  leaving  another  gap  in  the  system  of  protection  we  propose  to  create. 

The  need  to  match  a  regulation  limited  to  a  narrow  range  of  covered  entities  with 
the  reahty  of  information  sharing  among  a  wide  range  of  entities  led  us  to  consider 
severe  Hmits  on  the  type  or  scope  of  the  disclosures  that  would  be  permitted  under 
the  proposed  regulation.  The  disclosures  we  propose  to  allow,  however,  are  nec- 
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essary  for  smooth  operation  of  the  health  care  system  and  for  promoting  key  public 
goals  such  as  research,  public  health,  and  law  enforcement.  We  decided  that,  on  bal- 
ance, such  severe  limits  on  disclosures  could  do  more  harm  than  good.  The  only  ap- 
propriate way  to  fill  this  gap  in  protection  is  with  legislation  that  regulates  not  just 
the  disclosing  plans  and  providers,  but  also  those  receiving  health  information  from 
plans  and  providers. 

Enforcement 

Requirements  to  protect  individually  identifiable  health  information  must  be  sup- 

f)orted  by  real  and  significant  penalties  for  violations.  We  recommend  federal  legis- 
ation  that  would  include  punishment  for  those  who  misuse  personal  health  infor- 
mation and  redress  for  people  who  are  harmed  by  its  misuse.  We  believe  there 
should  be  criminal  penalties  (including  fines  and  imprisonment)  for  obtaining  health 
information  imder  false  pretenses,  and  for  knowingly  disclosing  or  using  protected 
health  information  in  violation  of  the  federal  privacy  law.  We  also  believe  that  there 
should  be  civil  monetary  penalties  for  other  violations  of  the  law,  and  that  any  indi- 
vidual whose  rights  xmder  the  law  have  been  violated  should  be  permitted  to  bring 
an  action  for  actual  damages  and  equitable  relief.  Only  if  we  put  the  force  of  law 
behind  our  rhetoric  can  we  expect  people  to  have  confidence  that  their  health  infor- 
mation is  protected,  and  ensure  that  those  holding  health  information  will  take 
their  responsibilities  seriously. 

In  HIPAA,  Congress  did  not  provide  sufficient  enforcement  authority.  There  is  no 
private  right  of  action  for  individuals  to  enforce  their  rights.  In  addition,  we  are  con- 
cerned that  the  penalty  structure  does  not  reflect  the  importance  of  these  privacy 
protections  and  the  need  to  maintain  public  trust  in  the  system. 

For  these  and  other  reasons,  we  continue  to  call  for  federal  legislation  to  ensure 
that  privacy  protection  for  health  information  will  be  strong  and  comprehensive. 

CONCLUSION 

Mr.  Chairman,  the  five  principles  embodied  in  our  recommendations  and  proposed 
regulation — Boundaries,  Security,  Consumer  Control,  Accountability,  and  Public  Re- 
sponsibility— should  guide  a  law  that  will  create  comprehensive  federal  standards 


The  principles  represent  a  practical,  comprehensive  and  balanced  strategy  to  pro- 
tect health  care  information  that  is  collected,  shared,  and  used  in  an  increasingly 
complex  world. 

In  addition  to  creating  new  federal  standards,  we  must  ensure  that  every  single 
person  who  comes  in  contact  with  health  care  information  understands  why  it  is  im- 
portant to  keep  the  information  safe,  how  it  can  be  kept  safe,  and  what  will  be  the 
consequences  for  failing  to  keep  it  safe.  Most  of  all,  we  must  help  consumers  under- 
stand not  just  their  privacy  rights,  but  also  their  responsibilities  to  ask  questions 
and  demand  answers — to  become  active  participants  in  their  health  care. 

Mr.  Chairman,  we  in  the  Department  and  the  Administration  are  eager  to  work 
with  you  to  enact  strong  national  medical  privacy  legislation. 

Thank  you  again,  for  giving  me  this  opportunity  to  testify.  I  look  forward  to  an- 
swering any  questions  that  you  may  have. 

Proposed  Standards  for  Privacy  of  Individually  Identifiable  Health 

Information 

Statutory  Requirement 

Section  264  of  the  Health  Insurance  Portability  and  Accountability  Act  of  1996 
(HIPAA),  PubHc  Law  104-191,  enacted  August  21,  1996,  requires  that,  if  legislation 
establishing  privacy  standards  is  not  enacted  "by  the  date  that  is  36  months  after 
the  date  of  the  enactment  of  this  Act,  the  Secretary  of  Health  and  Human  Services 
shall  promulgate  final  regulations  containing  such  standards  not  later  than  the  date 
that  is  42  months  after  the  date  of  the  enactment  of  this  Act." 

The  statutory  deadline  for  Congress  to  enact  legislation  was  August  21,  1999.  Ab- 
sent legislation,  HHS  has  developed  its  proposed  rule. 

Overview 

The  proposed  rule  would: 
• 

•  allow  health  information  to  be  used  and  shared  easily  for  the  treatment  and  for 
payment  of  health  care; 

•  allow  health  information  to  be  disclosed  without  an  individual's  authorization 
for  certain  national  priority  purposes  (such  as  research,  public  health  and  over- 
sight), but  only  under  defined  circumstances; 
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•  require  written  authorization  for  use  and  disclosure  of  health  information  for 
other  purposes,  and 

•  create  a  set  of  fair  information  practices  to  inform  people  of  how  their  informa- 
tion is  used  and  disclosed,  ensiire  that  they  have  access  to  information  about  them, 
and  require  health  plans  and  providers  to  maintain  administrative  and  physical 
safeguards  to  protect  the  confidentiaHty  of  health  information  and  protect  against 
unauthorized  access. 

Scope 

a.  Entities  covered  by  the  proposed  rule 

•  Health  care  providers  who  transmit  health  information  electronically 

•  Health  plans 

•  Health  care  clearinghoiises 

b.  Health  information  covered  by  the  proposed  rule  ("Protected  health  informa- 
tion") 

•  Protection  would  start  when  information  becomes  electronic,  and  would  stay 
with  the  information  as  long  as  the  information  is  in  the  hands  of  a  covered  entity. 

•  Information  becomes  electronic  either  by  being  sent  electronically  as  one  of  the 
specified  Administrative  Simplification  transactions  or  by  being  maintained  in  a 
computer  system. 

•  The  paper  progeny  of  electronic  information  is  covered;  the  information  would 
not  lose  its  protections  simply  because  it  is  printed  out  of  the  computer. 

•  HIPAA  protects  the  imormation  itself,  not  the  record  in  which  the  information 
appears. 

•  The  information  must  be  "identifiable."  If  the  information  has  any  components 
that  could  be  used  to  identify  the  subject,  it  would  be  covered. 

General  rules 

We  propose  that  covered  entities  be  prohibited  fi-om  using  or  disclosing  health  in- 
formation except:  as  authorized  by  the  patient,  or  as  exphcitly  permitted  by  the  reg- 
ulation. The  regulation  would  permit  use  and  disclosure  of  health  information  with- 
out authorization  for  purposes  of  health  care  treatment,  payment  and  operations, 
and  for  specified  national  poUcy  activities  under  conditions  tailored  for  each  type  of 
such  permitted  use  or  disclosure. 

•  Tlie  amoimt  of  information  to  be  used  or  disclosed  would  be  restricted  to  the 
minimum  amount  necessary  to  accomplish  the  relevant  purpose,  taking  into  consid- 
eration practical  and  technologicsd  limitations. 

•  There  would  be  exceptions  for  situations  in  which  assessment  of  what  is  mini- 
mally necessary  is  appropriately  made  by  someone  other  than  the  covered  entity 
(e.g.,  such  as  when  an  individual  authorizes  a  use  or  disclosure  of  information,  or 
when  the  disclosure  is  mandatory  under  another  law). 

•  We  would  allow  covered  entities  to  rely  on  requests  by  certain  pubHc  agencies 
in  determining  the  minimum  necessary  information  for  certain  disclosures. 

•  Under  the  principle  of  minimum  necessary  use,  if  an  entity  consists  of  several 
different  components,  the  entity  would  be  required  to  create  barriers  between  com- 
ponents so  that  information  is  not  used  or  shared  inappropriately. 

•  To  encourage  covered  entities  to  strip  identifiers  from  health  information  when 
it  is  possible  to  do  so,  we  would  permit  a  covered  entity  to  use  and  disclose  such 
de-identified  information  in  any  way,  provided  that: 

•  it  does  not  disclose  the  key  or  other  mechanism  that  would  enable  the  informa- 
tion to  be  re-identified,  and 

•  it  has  no  reason  to  beUeve  that  such  use  or  disclosure  will  result  in  the  use  or 
disclosure  of  protected  health  information  (e.g.,  because  the  recipient  has  the  means 
to  re-identify  the  information). 

•  We  would  treat  the  key  to  coded  identifiers  the  same  as  the  information  to 
which  it  pertains.  A  covered  entity  could  use  or  disclose  a  key  only  as  it  could  use 
or  disclose  the  imderlying  information. 

•  We  would  permit  covered  entities  to  disclose  protected  health  information  to 
persons  they  hire  to  perform  functions  on  their  behalf,  where  such  information  is 
needed  for  that  function.  These  "business  partners"  would  include  contractors  such 
as  lawyers,  auditors,  consultants,  health  care  clearinghouses,  and  billing  firms,  but 
not  members  of  the  covered  entity's  workforce. 

•  Except  where  the  business  partner  is  providing  a  treatment  consultation  or  re- 
ferral, we  would  require  covered  entities  to  enter  into  contracts  with  their  business 
partners  and  woiild  require  the  contracts  to  include  terms  to  ensure  that  the  pro- 
tected health  information  disclosed  to  a  business  partner  remains  confidential.  Busi- 
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ness  partners  would  not  be  permitted  to  use  or  disclose  protected  health  information 
in  ways  that  would  not  be  permitted  of  the  covered  entity  itself.  We  use  the  contract 
as  a  tool  for  protecting  information,  because  the  HIPAA  does  not  provide  legislative 
authority  for  the  rule  to  reach  many  such  business  partners  directly. 

•  The  uses  and  disclosures  permitted  by  this  rule  would  be  exactly  that — per- 
mitted, not  required.  For  disclosures  not  compelled  by  other  law,  providers  and  pay- 
ers would  be  free  to  disclose  or  not,  according  to  their  own  policies  and  principles. 
At  the  same  time,  nothing  in  this  rule  would  provide  authority  for  a  covered  entity 
to  refuse  to  make  a  disclosure  mandated  by  other  law. 

•  Only  two  disclosures  would  be  required  by  this  proposed  rule:  disclosure  to  the 
subject  individual  pursuant  to  the  individual's  request  to  inspect  and  copy  health 
information  about  him  or  her,  and  certeiin  disclosures  for  the  purposes  of  enforcing 
the  rule. 

•  Health  information  covered  by  the  proposed  rule  generally  would  remain  pro- 
tected for  two  years  after  the  death  of  the  subject  of  the  information,  subject  to  cer- 
tain exceptions. 

Disclosures  without  authorization  for  health  care  treatment,  payment,  and  operations 

•  Covered  entities  could  use  and  disclose  protected  health  information  without  au- 
thorization for  treatment,  pa3nnent  and  health  care  operations.  This  would  include 
purposes  such  as  quality  assurance,  utiHzation  review,  credentiahng,  and  other  ac- 
tivities that  are  part  of  ensuring  appropriate  treatment  and  pa3nnent. 

•  Individuals  generally  could  ask  a  covered  entity  to  restrict  further  use  and  dis- 
closure of  protected  health  information  for  treatment,  pajrment,  or  health  care  oper- 
ations, with  the  exception  of  uses  or  disclosures  required  by  law.  The  covered  entity 
would  not  be  required  to  agree  to  such  a  request,  but  if  the  covered  entity  and  the 
individual  agree  to  a  restriction,  the  covered  entity  would  be  boxmd  by  the  agree- 
ment. 

Uses  and  disclosures  with  individual  authorization 

•  Covered  entities  could  use  or  disclose  protected  health  information  with  the  in- 
dividual's authorization  for  almost  any  lawful  purpose. 

•  We  would  prohibit  covered  entities  from  conditioning  treatment  or  payment  on 
the  individual  agreeing  to  disclose  information  for  other  purposes,  and  require  the 
authorization  form  to  state  this  prohibition. 

•  While  the  provisions  of  this  proposed  rule  are  intended  to  make  authorizations 
for  treatment  and  payment  purposes  unnecessary,  some  States  may  continue  to  re- 
quire them.  Generally,  this  rule  would  not  supersede  such  State  requirements.  How- 
ever: 

•  the  rule  would  impose  a  new  requirement  that  such  State-mandated  authoriza- 
tions must  be  physically  separate  from  an  authorization  for  other  purposes  de- 
scribed in  this  rule. 

•  the  authorization  would  have  to  meet  the  rule's  requirements  for  the  content 
of  such  authorizations  (although  a  state  law  could  require  that  an  authorization  con- 
tain additional  provisions). 

•  We  would  require  authorizations  to  specify  the  information  to  be  disclosed,  who 
would  get  the  information,  and  when  the  authorization  would  expire.  If  an  author- 
ization is  sought  so  that  a  covered  entity  may  sell  or  barter  the  information,  the 
covered  entity  would  have  to  disclose  this  fact  on  the  authorization  form. 

•  Use  or  disclosure  of  information  by  the  covered  entity  inconsistent  with  the  au- 
thorization would  be  imlawful. 

•  Individuals  could  revoke  an  authorization. 

Permissible  uses  and  disclosures  for  purposes  other  than  treatment,  payment  and  op- 
erations 

•  Covered  entities  could  use  and  disclose  protected  health  information  without  in- 
dividual authorization  for  the  following  national  priority  activities: 

•  Oversight  of  the  health  care  system,  including  qusdity  assurance  activities; 

•  Public  health,  and  in  emergencies  affecting  life  or  safety; 

•  Research; 

•  Judicial  and  administrative  proceedings; 

•  Law  enforcement; 

•  To  provide  information  to  next-of-kin; 

•  For  identification  of  the  body  of  a  deceased  person,  or  the  cause  of  death; 

•  For  government  health  data  systems; 

•  For  facilities'  (hospitals,  etc.)  directories; 

•  To  financial  institutions,  for  processing  payments  for  health  care;  and 
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•  In  other  situations  where  the  use  or  disclosure  is  mandated  by  other  law,  con- 
sistent with  the  requirements  of  the  other  law. 

•  Specific  conditions  would  have  to  be  met  in  order  for  the  use  or  disclosure  of 
protected  health  information  to  be  permitted.  These  conditions  are  tailored  to  the 
need  for  each  specific  category  listed  above  and  to  the  types  of  organizations  in- 
volved in  such  activities. 

Individual  rights 

The  proposed  rule  would  provide  several  basic  rights  for  individuals  with  respect 
to  protected  health  information  about  them.  Individuals  would  have: 

•  The  right  to  receive  a  written  notice  of  information  practices  fi'om  health  plans 
and  providers.  The  notice  must  describe  the  t3^es  of  uses  and  disclosures  that  the 
plan  or  provider  would  make  with  health  information  (not  just  those  uses  and  dis- 
closures that  could  lawfully  be  made).  When  plans  and  providers  change  their  infor- 
mation practices,  they  would  also  have  to  update  the  notice.  Plans  and  providers 
would  be  required  to  follow  the  information  practices  specified  in  their  most  current 
notice. 

•  The  right  to  obtain  access  to  protected  health  information  about  them,  including 
a  right  to  inspect  and  obtain  a  copy  of  the  information. 

•  The  right  to  request  amendment  or  correction  of  protected  hecdth  information 
that  is  inaccurate  or  incomplete. 

•  The  right  to  receive  an  accounting  of  the  instances  where  protected  health  infor- 
mation about  them  has  been  disclosed  by  a  covered  entity  for  purposes  other  than 
treatment,  pajnnent,  or  health  care  operations  (subject  to  certain  time-limited  excep- 
tions for  disclosures  to  law  enforcement  and  oversight  agencies) 

Administrative  requirements  and  policy  development  and  documentation 

This  proposed  rule  would  require  providers  and  payers  to  develop  and  implement 
basic  administrative  procedures  to  protect  health  information  and  the  rights  of  indi- 
viduals with  respect  to  that  information. 

•  Covered  entities  would  be  required  to  maintain  documentation  of  their  policies 
and  procedures  for  complying  with  the  requirements  of  the  proposed  rule.  The  docu- 
mentation must  include  a  statement  of  the  entit^s  practices  regarding  who  would 
have  access  to  protected  health  information,  how  that  information  would  be  used 
within  the  entity,  and  when  that  information  would  or  would  not  be  disclosed  to 
other  entities. 

•  Covered  entities  would  be  required  to  have  in  place  administrative  systems,  ap- 
propriate to  the  nature  and  scope  of  their  business,  that  enable  them  to  protect 
health  information  in  accordance  with  this  rule.  Specifically,  covered  entities  would 
be  required  to: 

•  designate  a  privacy  official; 

•  provide  privacy  training  to  members  of  its  workforce; 

•  implement  safeguards  to  protect  health  information  from  intentional  or  acciden- 
tal misuse; 

•  provide  a  means  for  individuals  to  lodge  complaints  about  the  entity's  informa- 
tion practices,  and  maintain  a  record  of  any  complaints;  and 

•  develop  a  system  of  sanctions  for  members  of  the  workforce  and  business  part- 
ners who  violate  the  entity's  policies. 

Scalability 

We  propose  privacy  standards  that  covered  entities  must  meet,  but  leave  the  de- 
tailed policies  and  procedures  for  meeting  these  standards  to  the  discretion  of  each 
covered  entity. 

•  We  intend  that  implementation  of  these  standards  be  flexible  and  scalable,  to 
account  for  nature  of  each  covered  entity's  business,  and  the  covered  entity's  size 
and  resources.  We  would  require  that  each  covered  entity  assess  its  own  needs  and 
implement  privacy  policies  appropriate  to  its  information  practices  and  business  re- 
quirements. 

•  The  preamble  to  the  proposed  rule  will  include  examples  of  how  implementation 
of  these  standards  are  scalable. 

Preemption 

Pursuant  to  HIPAA,  this  rule  will  preempt  state  laws  that  are  in  conflict  with 
the  regulatory  requirements  and  that  provide  less  stringent  privacy  protections, 
with  specified  exceptions  for  certain  public  health  functions  and  related  activities. 
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Enforcement 

•  Under  HIPAA,  the  Secretary  is  granted  the  authority  to  impose  civil  monetary 
penalties  against  those  covered  entities  which  fail  to  comply  with  the  requirements 
of  this  regulation. 

•  HIPAA  also  established  criminal  penalties  for  certain  wrongful  disclosures  of 
protected  health  information.  These  penalties  are  graduated,  increasing  if  the  of- 
fense is  committed  under  false  pretenses,  or  with  intent  to  sell  the  information  or 
reap  other  personal  gain, 

•  Civil  monetary  penalties  are  capped  at  $25,000  for  each  calendar  year  for  each 
standard  that  is  violated. 

What  this  proposed  rule  does  not  do 

•  The  HIPAA  limits  the  application  of  our  proposed  rule  to  the  covered  entities. 
It  does  not  provide  the  authority  for  the  rule  to  reach  many  entities  that  receive 
health  information  from  these  covered  entities,  so  the  rule  cannot  put  in  place  ap- 
propriate restrictions  on  how  such  recipients  of  protected  health  information  may 
use  and  re-disclose  such  information. 

•  Any  provider  who  maintains  a  solely  paper  information  system  cannot  be  sub- 
ject to  these  privacy  standards. 

•  There  is  no  statutory  authority  for  a  private  right  of  action  for  individuals  to 
enforce  their  privacy  rights. 


Chairman  THOMAS.  Thank  you,  Dr.  Hamburg. 

In  my  opening  comments  I  indicated  some  concern  about  the 
timehne  for  issuing  final  regulations  and  it  has  become  something 
of,  if  not  a  joke,  at  least  a  model  for  us  to  be  concerned  about.  I 
am  referring  to  the  1993  legislation  that  is  commonly  referred  to 
as  Stark  II  in  terms  of  self-referral,  compensation  and  ownership. 
I  have  long  thought  that  the  ownership  portion  made  complete 
sense  and  that  portion  has  not  been  too  difficult  to  get  a  handle 
on.  But  you  have  been  chasing  the  elusive  butterfly  of  compensa- 
tion for  seven  years  now  and  you  still  have  not  issued  final  regula- 
tions. 

I  am  guessing,  as  you  indicated  with  all  of  the  concerns  and  frus- 
trations with  the  underlying  legislation,  although  I  think  setting 
up  some  parameters  that  you  bumped  into,  some  of  which  you 
seemed  to  be  able  to  knock  over  and  keep  going  for  whatever  rea- 
sons and  decided  to  stop  with  the  others  that  were  in  the  legisla- 
tion, it  might  be  ultimately  a  useful  thing  so  that  we  can  at  least 
focus  on  friction  areas  or  problem  areas.  But  in  the  Stark  II  legisla- 
tion, seven  years  no  final  regulation  in  the  area  of  compensation. 

I  personally  believe  that  if  you  do  issue  final  regs  all  they  will 
be  will  be  intermediate  final  regs  which  will  then  have  to  be  fine- 
tuned  by  legislation  and  in  fact  I  am  trying  to  short-circuit  that. 

That  is  by  way  of  a  preamble  of  saying,  I  do  not  think  we  can 
let  that  history  be  a  model  in  this  particular  area.  There  have  been 
attempts,  primarily  on  the  Senate  side,  to  move  forward  legisla- 
tively. I  want  to  underscore  the  gratitude  from  myself,  and  based 
upon  the  comments,  shared  by  other  members  of  this  subcommittee 
on  your  willingness  to  jump  in  and  move  relatively  expeditiously. 

However,  you  have  come  up  with  just  a  couple  of  points  that  I 
would  like  to  highlight  in  terms  of  the  difficulty  and  invite  your  re- 
sponse. I  do  not  want  to  go  into  an  extensive  question  and  answer 
period.  I  will  submit  in  writing  to  you  so  you  can  feel  comfortable 
in  commenting  on  them  about  two  dozen  additional  questions,  some 
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of  which  I  might  have  ordinarily  asked,  so  that  we  can  better  un- 
derstanding your  thinking  in  particular  areas. 

So  the  questions  that  I  would  ask  you  are  kind  of  general  but 
highlight  the  concerns  in  particular  areas.  You  indicate  that  you 
have  made  a  cost  estimate  of  this  particular  legislation  of  about 
$3.8  bilhon.  Often  times  we  joke  about  how  close  something  is  for 
Government  work.  So  if  you  are  off  by  a  factor  of  two,  that  is  close 
enough  for  Government  work.  A  factor  of  three  to  five,  that  is  prob- 
ably sloppy  Government. 

But  what  we  are  going  to  hear  is  testimony  that  you  may  be  off 
as  much  as  seven,  eight,  10  times  the  amount  of  money,  in  part  be- 
cause, I  believe,  of  the  ripple  effect  to  secondary  structures  other- 
wise known,  for  example,  as  business  partners  who  are  covered  en- 
tities and  that  you  require  a  level  of  knowledge  and  performance 
on  a  ripple  out  aspect  that  I  have  a  hard  time  believing  was  part 
of  your  estimate  contained  in  the  $3.8  billion. 

Do  you  have  a  comfort  level  that  the  $3.8  billion  is  a  pretty  com- 
plete cost  analysis  on  what  will  be  hopefully,  with  minor  adjust- 
ments, the  final  rule?  Or  are  you  planning  on  doing,  based  upon 
the  comments  submitted,  a  more  complete  cost  analysis  before  pub- 
lishing a  final  rule? 

Dr.  Hajvibitig.  That,  of  course,  is  a  very  important  question.  We 
had  put  forward  a  cost  estimate  that  spanned  a  range,  about  $1.6 
to  $6.3  billion,  but  recognized  that  there  were  areas  of  activity  con- 
tained within  the  proposed  regs  where  we  did  not  have  very  good 
data  for  doing  cost  analysis,  and  one  of  the  things  we  asked  for  in 
the  process  of  comment  was  for  additional  data  that  could  help  en- 
lighten these  concerns. 

There  have  been  cost  estimates  that  have  been  put  out  and  other 
evaluations  that  we  think  are  quite  inflated,  that  cost  out  activities 
that  in  fact  are  not  contained  within  our  regs.  Of  course,  we  recog- 
nize that  we  put  forward  a  proposed  reg  on  a  complex  issue  for 
which  there  Eire  many,  as  you  say,  ripple  effects,  many  interested 
parties,  and  the  final  regulation  will  be  shaped  very  much  by  the 
kinds  of  comments  that  are  coming  in. 

We  will  be  looking  very  closely  the  cost  issues  but  we  do  believe 
that  the  cost  estimates  that  have  been  put  forward  by  some  other 
entities  really  do  not  crosswalk  with  what  is  in  the  reg  as  it  cur- 
rently exists.  We  will  look  closely  at  those  so  that  we  can  compare 
how  they  got  to  their  numbers,  how  we  got  to  our  numbers,  and 
we  have  been  engaged  in  that.  We  do  need  to  look  at  some  areas 
where  we  did  not  feel  we  had  adequate  data  and  see  if  new  data 
sheds  new  light. 

Chairman  Thomas.  I  do  not  want  anyone  to  assimie  that  what 
is  driving  this  is  a  cost  consideration.  It  is  just  that  I  would  Hke 
to  have  it  as  accurate  as  we  can  because,  frankly,  when  you  move 
to  these  other  business  partners  as  covered  entities — I  mean,  there 
are  existing  relationships — you  are  going  on  top  of,  in  many  in- 
stances, State  laws.  And  of  course,  there  are  preexisting  State  U- 
censing  requirements  that  deal  with  professional  conduct. 

It  just  seems  to  me  that  as  you  extend  this  umbrella  of  a  partial 
Federal  structure  as  you  do,  it  is  going  to  require  necessarily  re- 
negotiations of  a  number  of  contracts  which  may  in  fact  either  im- 
pede care  that  is  out  there  or  produce  some  disruption  in  the  struc- 
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ture  which  will  have  dollar  value  to  it.  It  may  be  extremely  difficult 
to  put  a  value  on  that. 

But  one  of  the  questions  that  I  would  have  and  you  may  want 
to  respond  briefly  now  but  it  will  be  a  part  of  the  written  question 
area  is,  did  you  consider  and  why  did  you  reject  dealing  with  busi- 
ness partners  being  required  to  certify  that  they  comply  with  the 
regulations,  not  take  one  of  the  covered  entities  and  hold  them  lia- 
ble for  a  business  partner's  failure  to  comply?  Some  degree  of  cer- 
tification would  partially  shift  the  responsibility. 

Now  I  know  you  are  limited  by  the  legislative  window  that  is 
available  to  you.  Would  this  be  an  area  in  which  clearly  from  a  leg- 
islative point  of  view  we  would  want  to  focus  in  some  detail? 

Dr.  Hamburg.  I  think  we  all  share  the  concern  that  these  pri- 
vacy protections  be  meaningful,  real,  and  enduring,  and  our  desire 
in  addressing  the  business  partners  question  was  to  ensure  that, 
if  we  had  privacy  protections  on  the  covered  entities,  that  informa- 
tion that  they  would  be  sharing  with  business  partners  would  con- 
tinue to  receive  the  same  protections  that  the  consumers  would 
now  have  the  expectation  of  having. 

Because  of,  as  you  say,  the  constraints  of  the  statute,  we  cannot 
directly  regulate  those  business  partners,  but  we  felt  that  we  were 
trying  to  achieve  in  the  proposed  reg  just  what  you  were  asking 
about:  the  certification  that  they  would  comply  with  the  same  pri- 
vacy protections,  and  through  the  contractual  mechanism  we 
thought  that  could  be  achieved. 

Chairman  Thomas.  One  of  the  real  concerns  I  have  shared  by 
the  way  by  a  colleague  on  this  committee,  Ben  Cardin,  as  we  have 
attempted  to  move  forward  in  concert  in  a  bipartisan  way  in  deal- 
ing with  this  area  is  that  although  there  is  some  great  desire  to 
maintain  a  State  structure  and  a  Federal  structure  and  your  goal 
was  to  build  a  floor  while  allowing  individual  States  to  have  ceil- 
ings. 

But  the  veiy  fact  that  you  have  got  to  reconcile  this  kind  of  crazy 
quilt  of  relationships,  especially  when  you  throw  in  a  number  of 
phrases  that  deal  with  minimums,  in  what  way  do  they  relate  to 
State  structures,  that  perhaps  it  just  might  be  a  better  way  of  look- 
ing at  this  whole  area  if  you  do  not  say  that  given  today's  world, 
paper  or  electronic,  that  a  Federal  preemption  providing  a  uniform 
structure  across  all  States,  one,  might  not  be  a  better  way  to  afford 
protection  and  confidentiality.  But  two,  would  eliminate  this  ex- 
tremely difficult  job  of  tr3dng  to  mesh  from  a  floor  to  a  ceiling,  dif- 
ferent State  as  well  as  now,  new  Federal  regulations  and  imposi- 
tions. 

Do  you  personally  believe  that  the  approach  that  the  legislation 
requires  you — that  is,  you  could  not  offer  Federal  preemption — that 
structure  is  in  fact  the  better  way  to  go? 

Dr.  Hamburg.  This  has  been  the  topic  of  great  debate  and  many 
well-informed  thoughtful  thinkers  weighing  in  on  differing  sides.  I 
think  what  we  are  trying  to  achieve  is,  as  you  say,  the  establish- 
ment of  a  clear  set  of  protections  in  which  the  consumers  can  have 
confidence.  If  that  were  to  be  achieved  I  think  States  would  feel 
less  of  a  need  to  fill  in  the  gaps  and  create  their  own  privacy  laws. 

There  are,  however,  different  concerns  in  different  States.  There 
are  different  issues  that  emerge.  There  are  new  technologies  that 
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impact  different  places  differently.  So  to  allow  States  to  continue 
to  have  some  flexibility  as  they  see  fit  to  tailor  the  law  to  suit  their 
needs  seems  like  a  reasonable  approach.  But  I  do  think  that  having 
comprehensive  national  privacy  legislation  would  go  very  far  in  re- 
ducing this  patchwork  approach. 

Chairman  Thomas.  So  you  have  firmly  established  yourself  on 
the  one  hand,  and  then  on  the  other.  One  of  the  frustrations  of  this 
job  is  that  I  almost  always  want  to  inquire  if  any  agency  that  is 
going  to  testify  has  a  one-armed  member  of  the  agency  so  that 
when  they  come  they  would  not  be  able  to  be  on  the  one  hand  and 
on  the  other. 

For  example,  you  actually  propose  to  preempt  State  law,  do  you 
not,  in  this  regulation? 

Dr.  Hamburg.  We  propose  that  where  the  regs  would  be  more 
stringent  that  it  would — 

Chairman  Thomas.  Preempt  State  law. 

Dr.  Hamburg.  — override  State  law. 

Chairman  Thomas.  Preempt  State  law. 

Dr.  Hamburg.  Yes. 

Chairman  Thomas.  Ovenide  State  law.  Say  that  a  State  in  its 
wisdom  in  making  a  decision  in  this  was  not  very  wise  and  we  are 
going  to  impose  our  regulation  in  this  area.  So  you  already  have 
what  I  consider  to  be  taken  the  first  step.  You  believe  there  are 
States  whose  laws  should  be  preempted  by  this  Federal  standard. 
But  then  you  say  you  are  going  to  allow  States  to  continue  to  make 
regulations  in  particular  areas. 

We  are  going  to  enter  an  area,  in  large  part  based  upon  the  pub- 
licity of  data  that  is  somewhat  aged  at  the  current  time,  in  the 
area  of  medical  errors  with  the  publication  of  the  Institute  of  Medi- 
cine's, To  Err  is  Human.  Would  not  3^our  proposal,  that  is  preempt 
some  areas  and  not  preempt  others,  invite  States  to  then  go  ahead 
and  pass  laws  in  terms  of  restricting  the  ability  to  collect  informa- 
tion which  we  might  consider  to  be  essential  in  removing  what  ev- 
eryone says  they  want  to  remove,  and  that  is  the  up  to  100,000 
deaths  a  year  through  medical  errors? 

I  would  like  you,  if  you  could  succinctly  as  possible,  explain  the 
Administration's  position  that  in  certain  areas  we  want  uniformity, 
but  in  the  most  sensitive,  most  extreme  areas  where  we  have  got 
to  gather  the  data  that  is  most  important,  you  think  it  is  best  to 
have  a  crazy  quilt  of  State  laws  controlling  the  flow  of  this  informa- 
tion. What  is  the  rationale  behind  that  approach? 

Dr.  Hamburg.  I  think  that,  as  I  have  articulated  already,  the  ap- 
proach that  is  being  put  forward  is  to  create  a  strong  foundation 
of  privacy  protection  that  would  capture  what  is  believed  to  rep- 
resent a  firm  foundation,  and  then  allow  States  the  flexibility  to  re- 
spond to  the  issues  that  arise  within  their  States  and  from  their 
specific  constituencies,  and  respond  to — 

Chairman  ThotvIAS.  Including  a  strong  feeling  that  certain  infor- 
mation, notwithstanding  the  fact  we  believe  it  is  necessary  by 
building  that  floor,  should  not  be  allowed  to  flow  and  therefore  we 
are  going  to  restrict  it? 

Dr.  Hamburg.  I  think  that  States  should  not  be  prevented  to  re- 
spond to  needs  that  they  believe  have  not  been  addressed,  to  re- 
spond to  emerging  concerns,  and  to  respond — 
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Chairman  Thomas.  You  started  off  your  statement  by  indicating 
that  just  Hke  freedom  of  speech  it  is  not  absolute,  and  that  in  fact 
in  some  areas  individual  rights  need  to  be  weighed  in  relationship 
to  the  public's  right  to  know  and  I  guess  public  health  is  one  of  the 
better  areas.  My  concern  is  that  you  begin  to  get  into  this  thicket 
very  clearly  with  the  Administration's  approach  in  which  we  are 
going  to  have  to  play  catch-up,  and  as  soon  as  these  regulations  be- 
come final,  if  they  do,  there  is  no  question  in  my  mind  that  a  num- 
ber of  State  legislatures  will  begin  to  move. 

They  are  not  moving  as  rapidly  now — Minnesota  being  one  of  the 
prime  examples  in  terms  of  the  enormous  difficulty  that  an  institu- 
tion with  as  much  as  prestige  as  the  Mayo  Clinic  has,  has  done  its 
darnedest  to  get  the  private  agreement  of  individuals,  which  is  the 
requirement  of  the  Minnesota  law.  And  the  foundation  for  the  ex- 
cellence of  medicine  at  the  Mayo  Clinic  is  the  epidemiological  stud- 
ies in  which  they  are  now  looking  at  a  3  percent  hole  in  their  infor- 
mation. Somebody  might  say,  gee,  97  percent  is  pretty  good.  As 
most  of  know  in  terms  of  collecting  data  or  doing  research,  it  is  not. 
It  is  a  hole  in  the  data  that  makes  the  data  sometimes  absolutely 
useless. 

Very  concerned  about  the  attempt  to  create  a  structure  which  in 
fact  will  expedite  our  inability  to  go  where  we  need  to  go,  especially 
in  the  area,  for  example,  of  medical  errors. 

Let  me  give  you  just  one  example  in  terms  of  the  rule  that  I  have 
some  concern  about,  because  the  proposed  rule  prohibits  the  disclo- 
sure of  research  information  imrelated  to  treatment  without  an  in- 
dividual's authorization.  Would  you  at  least,  since  obviously  you 
have  a  medical  background  and  I  do  not,  indicate  to  me  that  there 
are  sometimes  disagreements  as  to  what  information  is  or  is  not  re- 
lated to  treatment?  That  a  phrase,  unrelated  to  treatment,  is  at 
least  open  to  differing  interpretation? 

Dr.  Hamburg.  To  respond  to  the  broad  comment  that  you  made 
about  access  to  information  for  research,  there  are  within  the  pro- 
posed regs  clear  issues  raised  about  that,  and  an  indication  that 
there  should  be  circumstances  in  which  researchers  can  receive 
data  about  individual  patients,  but  that  there  needs  to  be  a  process 
that  is  clearly  defined  and  a  set  of  standards  that  are  met  in  terms 
of  that  information  being  made  available  and  then  how  it  is  han- 
dled. Not  all  research  requires  patient  identifiers  with  that  infor- 
mation. So  when  you  do  not  need  to  use  patient  identifiers,  that 
clearly  provides  more  patient  protection. 

With  respect  to  your  question  of  is  there  a  fuzziness  around 
whether  the  information  that  would  go  to  a  researcher  is  relevant 
to  treatment — 

Chairman  Thomas.  No,  not  relevant.  Unrelated.  Not  relevant. 
Unrelated  is  the  term  that  is  used  in  the  proposed  reg. 

Dr.  Hamburg.  I  am  not  completely  sure  that  I  understand  your 
question.  If  you  are  asking  whether  it  will  have — 

Chairman  Thomas.  I  will  submit  it  in  writing  and  you  can  have 
others  who  were  more  directly  involved  in  writing  it — 

This  is  the  kind  of  dilemma  that  I  would  like  to  leave  with  you 
and  then  I  will  allow  my  colleague  some  questions.  What  would  the 
department  do — just  as  a  for  instance,  what  would  the  department 
do  if  a  State  passed  a  privacy  law  that  enabled  providers  to  with- 


29 


hold  what  you  considered  to  be  critical  public  health  information? 
Now  again,  sometimes  this  information  is  in  the  eye  of  the  be- 
holder. 

Or  for  example,  that  enabled  providers  to  frustrate  a  Federal 
anti-fraud  investigation.  Not  related  to  public  health  but  related  to 
an  anti-fraud  investigation.  Is  it  still  the  Administration's  position 
that  in  these  particular  instances  the  sovereign  would  be  able  to 
go  in  and  overturn  the  State  law  and  overturn  the  State  law  and 
get  the  information  they  thought  was  important? 

Dr.  Hamburg.  I  think  the  proposed  rule  makes  clear  that  where 
there  are  existing  laws  that  require  certain  information  be  made 
available,  such  as  with  respect  to  public  health,  that  information 
would  be  made  available. 

Chairman  Thomas.  No,  the  State  passed  a  law  sa3dng  it  was  not 
going  to  be  provided.  So  you  would  go  in  and  say,  notwithstanding 
what  you  may  assume  to  be  a  State  right,  we  are  going  to  say  no 
in  this  area;  is  that  what  you  said? 

Dr.  Hamburg.  For  critical  issues  such  as — 

Chairman  Thomas.  Who  defines  the  critical  issue? 

Dr.  Hamburg. — public  health  would  be — 

Chairman  Thomas.  Who  defines  the  critical  issue?  Does  not  the 
sovereign,  does  not  the  Federal  Government  define  it,  as  you  have 
done  in  this  regulation  in  preempting  certain  State  laws  that  you 
thought  did  not  reach  a  particular  level  associated  with  what  you 
considered  to  be  appropriate? 

Dr.  Hamburg.  We  are,  as  I  said,  going  to  be  reviewing  all  the 
comments  that  come  in.  The  final  reg  is  not  established  yet,  but  it 
is  the  clear  intent  as  we  move  forward  toward  shaping  that  final 
regulation  to  ensure  that  such  critical  national  security,  national 
health  protection  needs  are  not  inhibited — 

Chairman  Thomas.  And  that  is  a  good  position  to  rally  around, 
because  national  security  health  needs — but  I  also  mentioned  anti- 
fraud.  Would  you  then  push  your  ability  to  overturn  State  laws  if 
in  withholding  information  it  inhibited  the  inspector  general  or  oth- 
ers? Because  this  majority  has  passed  more  than  65  specific  assist- 
ances in  going  after  fraud  and  abuse  which  the  Administration  has 
rightly  touted  has  produced  more  than  $10  billion  of  savings  over 
the  last  several  years  in  using  the  tools  that  we  have  provided  you 
in  stopping  fraud  and  abuse. 

But  if  a  State  passed,  based  upon  the  desire  to  withhold  personal 
information,  which  may  in  fact  conflict  with  your  ability  to  get  at 
anti-fraud,  then  would  you  not  also  want  to  move  in  that  area  in 
terms  of  preemption? 

Dr.  Hamburg.  I  think  it  has  been  very  clear  that  on  the  public 
responsibility  side  of  this,  public  health  as  well  as  the  fraud  and 
abuse  areas,  certain  law  enforcement  needs,  et  cetera,  have  to  bal- 
anced against  the  other  protections  and  we  feel  that  is  a  critical 
component  of  what  we  are  trjdng  to  achieve. 

Chairman  Thomas.  All  I  am  saying  is  that  clearly  I  could  name 
any  number  of  specific  instances  in  which  you  would  choose  for  the 
sovereign;  that  is,  preempting  the  State.  My  argument  is,  that  is 
a  really  slippery  slope.  Set  up  a  structure  and  then  have  this  con- 
flict over  a  number  of  years  over  something  as  sensitive  as  patient 
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medical  records,  and  how  they  are  handled.  And  the  crazy  quilt 
that  your  basic  structure  would  produce  across  the  country. 

Perhaps  we  ought  to  just  face  the  issue — now  this  is  a  Repub- 
Ucan  talking  about  Federal  preemption.  We  should  just  face  the 
issue  that  it  ought  to  be  done  in  a  way  that  gives  us  the  maximum 
opportunity  to  afford  imiform  security  protection,  confidentiality. 
Atid  that  it  ought  to  be  a  Federal  preemption  rather  than  your  Fed- 
eral floor  over  where  today  you  think  it  is  important  to  preempt 
State  laws,  but  where  tomorrow  there  is  no  question  you  will  find 
you  are  put  in  a  choice  situation  in  which  you  choose  to  preempt 
State  laws  willy-nilly,  which  means  you  drive  other  States  to  pass 
laws  based  upon  the  reaction  to  the  Federal  move. 

I  just  think  that  direction  is  fraught  with  danger  in  providing  a 
uniform  appropriate  data  collection  for  research,  for  error  correc- 
tion, commensurate  with  protecting  the  individual's  right  to  con- 
fidentiality on  their  medical  records. 

The  gentleman  fi:om  Washington. 

Mr.  McDermott.  Thank  you,  Mr.  Chairman.  I  want  to  address 
my  questions  both  to  you.  Dr.  Hamburg,  and  also  Mr.  Claxton,  be- 
cause I  think  you  had  something  to  do  with  the  writing.  You  are 
not  sitting  there  for  no  reason.  So  whichever  of  you  feel  is  you  are 
the  best  to  answer  the  question  I  think  it  would  be  helpful. 

In  response  to — it  is  interesting  to  listen  to  the  chairman.  I  do 
not  often  hear  you  suggesting  Federal  preemption,  big  Government. 
So  it  is  always  interesting  to  hear. 

Chairman  Thomas.  Uniform  Government. 

Mr.  McDermott.  Yes.  I  am  sorry.  It  may  become  big,  right? 

Chairman  Thomas.  Uniform  big  is  better  than  non-uniform  big. 

Mr.  McDermott.  When  the  bill  was  written — 

Chairman  Thomas.  In  the  protection  of  individual  rights. 

[Laughter.] 

Mr.  McDermott.  I  did  not  interrupt  you  at  all.  I  let  you  have 
your  go  here. 

The  issue  of  the  bill  having  been  written  giving  you  a  Federal 
preemption,  you  wrote  your  regulation  with  that  in  mind.  The  Con- 
gress said  you  are  to  preempt  State  laws;  is  that  correct? 

Dr.  Hamburg.  With  respect  to  the — ^yes. 

Mr.  McDermott.  To  the  narrow  areas  that  are  covered  by  this 
regulation. 

I  make  that  point  because  on  the  one  hand  we  said,  preempt 
State  laws  and  then  we  tied  your  hands.  We  said,  you  cannot  look 
at  the  whole  area  of  privacy,  you  just  have  to  look  at  this  one  little 
narrow  area.  Coming  from  having  a  background  in  a  State  legisla- 
ture, I  do  not  know  how  many  times  we  had  to  adjust  our  laws  to 
fit  a  Federal  law.  It  was  a  constant  part  of  being  a  State  legislator 
was  always  making  adjustments. 

So  I  think  the  chairman  raises  an  issue,  but  the  reason  we  are 
here  on  this  issue  at  the  national  level  is  because  it  is  not  being 
done  at  the  local  level  in  a  imiform  way.  I  think  there  are  only  28 
States  that  allow  patients  to  actually  look  at  their  own  record.  You 
have  a  legal  right  to  look  at  your  record.  In  many  States  you  can- 
not go  in  and  say,  I  want  to  see  what  is  in  my  record. 

So  it  seems  to  me  that  is  a  big  part  of  what  you  are  tr5dng  to 
do  here  is  to  set  a  floor.  Now  the  question  is,  how  high  you  set  the 
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floor  as  to  how  much  you  are  going  to  get  in  the  State  legislature. 
Is  that  your  anticipation? 

Dr.  Hamburg.  I  think  that  you  have  framed  it  exactly  right. 

Mr.  McDermott.  Because  I  listen  to  this  and  I  think  to  myself, 
there  is  a  specific  issue  that,  this  business  about  why  you  went  at 
the  business  partners  the  way  you  did.  The  law  says  that  you  can 
regulate  health  plans,  providers,  certain  providers,  and  clearing- 
houses. And  anybody  who  knows  an5^hing  about  the  health  care 
delivery  system  realizes  there  is  a  whole  other  series  of  entities  out 
there  that  can  use,  have  used  for  a  variety  of  reasons,  either  for 
research  or  for  marketing  purposes,  this  data. 

Your  job  was — then  they  tied  our  hands  with  only  three,  how  do 
we  get  at  these  things?  That  is  the  reason  why  you  have  the  busi- 
ness partner  section  in  there;  is  that  correct? 

Dr.  Hamburg.  Absolutely.  I  think  it  also  underscores  one  of  the 
reasons  why  we  fundamentally  believe  that  while  we  have  made  a 
very  good  faith  effort  in  trjdng  to  achieve  privacy  protections 
through  this  reg,  that  comprehensive  national  legislation  will  en- 
able a  much  broader  and  more  protective  approach. 

Mr.  McDermott.  If  you  had  not  reached  out  through  this  indi- 
rect mechanism  of  saying  that  a  health  care  provider  or  whatever, 
or  a  clearinghouse  has  to  have  a  contract  with  their  business  part- 
ners about  this  issue,  it  essentially  would  be  a  loophole  big  enough 
to  drive — I  do  not  know,  anything  could  fly  through  it,  if  I 
imderstand — 

Dr.  Hamburg.  I  think  that  is  right,  and  we  would  not  want  to 
undermine  the  public  confidence  in  the  protections  we  are  trying 
to  put  forward  for  them  by  allowing  surrogates  of  the  covered  enti- 
ties to  do  exactly  the  kinds  of  things  with  their  health  information 
that  we  are  trying  to  prohibit  through  the  proposed  reg. 

Now  we  certainly  have  heard  a  lot  of  concerns  about  how  this 
concept  of  reaching  to  the  business  partners  should  be  structured 
and  we  will  be  going  over  the  comments  very  carefully  and  trying 
to  think  that  through,  because  we  recognize  from  important  part- 
ners that  this  is  an  arena  that  raises  concerns  about  additional 
burden,  additional  cost,  additional  liability,  and  we  have  to  look  at 
that  carefully  and  take  those  concerns  into  consideration. 

But  we  do  feel  that  we  cannot  simply  put  forward  protections 
that  would  address  the  covered  entities  and  not  recognize  that,  as 
you  say,  the  information  goes  out  in  many  different  directions. 
That  we  have  a  very  complex  health  care  system  and  many  people 
are  involved,  and  that  our  reg  only  formally  has  the  power  of  en- 
forcement and  authority  over  a  very  circumscribed  element. 

Mr.  McDermott.  Can  I  ask  you  a  question  that  I  was  sitting 
here  thinking  about?  If  you  have  an  HMO  and  you  have  all  this 
data  about  your  patients,  this  regulation  would  prohibit  you  from 
selling  that  in  some  kind  of  commercial  means  to  health  marketing 
or  to  wellness  whatever  or  any  other  entity  outside,  would  it  not? 

Dr.  Hamburg.  Without  specific  patient  authorization. 

Mr.  McDermott.  Now  if  you  have  a  wholly  owned  subsidiary 
and  you  transfer  it  to  them,  can  they  then  put  it  out? 

Dr.  Hamburg.  If  it  would  be  to  be  used  for  marketing  and  relat- 
ed activities  it  would  still,  even  if  it  was  another  entity  that  was 
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part  of  this  umbrella  covered  entity,  it  would  still  require  specific 
patient  authorization  for  those  purposes. 

Mr.  McDermott.  But  if  you  spun  off — ^because  of  the  business 
partners  question  or  is  it  because  it  is  part  of  one  entity? 

Dr.  Hamburg.  Any  use  for  marketing  would  require  the  patient 
authorization. 

Mr.  Claxton.  In  your  case,  because  it  is  part  of  one  entity. 
Mr.  McDermott.  I  am  sorry? 

Mr.  Claxton.  In  your  example  it  is  because  it  is  part  of  one  en- 
tity. 

Mr.  McDermott.  Part  of  one  entity. 
Mr.  Claxton.  If  they  spun  it  off- 
Mr.  McDermott.  Now  if  they  spun  it  off  and  it  is  totally  unre- 
lated, has  an  arms-length  relationship  with  the  HMO,  it  is  now  our 
data  marketing  organization  and  we  have  created  a  new  entity, 
Inc.,  then  they  have  that  information  and  they  can  do  whatever 
they  wish  with  it  unless  you  have  this  contract  between  the  HMO 
and  this  arms-length  company — 
Dr.  Hamburg.  Correct. 

Mr.  McDermott. — that  is  marketing  the  data;  is  that  correct? 

Mr.  Claxton.  Assuming  that  the  entity  could  have  gotten  it  in 
the  first  place  as  a  partner.  If  it  is  doing  something  on  behalf  of 
the  HMO  it  could  have  gotten  the  information  in  the  first  place, 
and  then  you  need  the  business  partner  relationship  to  continue  to 
protect  the  information. 

Mr.  McDermott.  So  they  give  this  information  to  a  survey  com- 
pany and  they  are  doing  work  for  the  HMO,  and  that  would  be  the 
relationship.  Then  whatever  they  did  with  it  after  that  is  their  own 
business  unless  you  have  this  contract. 

Dr.  Hamburg.  Correct. 

Mr.  McDermott.  That  is  why  I  think  it  is  important  that  the 
way  we  wrote  the  law  you  had  no  other  way  to  g"et  at  that  relation- 
ship, if  I  understand  correctly  what  you  were  trying  to  do. 

Dr.  Hamburg.  That  is  absolutely  correct. 

Mr.  McDermott.  Now  when  you  look  at  the  whole  question  of 
assuring — 

Chairman  Thomas.  The  gentleman's  time  has  expired.  We  will 
move  to  the  other  members.  If  you  want  to  go  on  for  a  second 
round,  you  can  do  that. 

Mr.  McDermott.  Thank  you. 

Chairman  Thomas.  The  gentleman  fi-om  Pennsylvania  wish  to 
inquire? 

Mr.  English.  I  do,  Mr.  Chairman,  and  I  appreciate  the  oppor- 
tunity. Secretary  Hamburg,  reviewing  these  regulations  which  I 
think  address  one  of  the  more  challenging  issues  we  in  Congress 
have  to  face  this  year  I  wonder,  we  can  all  agree  on  the  need  to 
prohibit  disclosure  of  patient  information  as  a  central  tenet  of  pro- 
tecting confidentiality.  It  is  obviously  disclosure  of  information  that 
patients  are  rightly  concerned  about. 

However,  this  nile,  this  proposed  rule  attempts  to  limit  uses  of 
information  without  individual  authorization,  even  within  a  cov- 
ered entity  such  as  a  hospital.  Question,  do  you  really  believe  that 
you  know  and  have  included  all  of  the  possible  current  and  future 
appropriate  uses  of  patient  information?  If  this  rule  had  been  pro- 
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mulgated  15  years  ago,  could  you  have  predicted  all  of  the  innova- 
tions that  the  delivery  system  has  today? 

Dr.  Hamburg.  No.  I  think,  first  of  all  in  formulating  the  reg  we 
tried  to  think  as  carefully  through  all  of  the  many  ramifications  as 
well  as  emerging  potential  issues.  But  it  is  a  very  complex  issue, 
very  multi-layered,  and  we  are  hoping  through  the  comment  period 
to  broaden  our  thinking  in  the  short  term.  In  the  long  term,  of 
course,  things  are  so  rapidly  changing  both  in  terms  of  how  our 
health  care  delivery  system  is  structured,  the  technology  available 
to  support  that,  and  of  course  the  application  of  new  technologies 
and  procedures  and  the  implications  raised. 

So  I  think  that  there  is  not  going  to  be  one  set  of  privacy  regs 
or  one  comprehensive  piece  of  privacy  legislation  that  will  resolve 
all  the  issues  now  and  in  the  future.  But  what  we  are  trying  to  do 
is  really  put  forward  a  framework  for  addressing  the  problems.  But 
we  are  going  to  have  a  dynamic  process. 

Mr.  English.  I  understand,  but  that  is  the  rub.  Would  it  not  be 
more  workable  to  focus  the  regulation  on  disclosure  of  patient  in- 
formation and  not  attempt  to  regulate  use,  particularly  within  a 
covered  entity? 

Dr.  Hamburg.  I  think  the  two  are  hand  in  hand.  What  we  are 
trying  to  define  are  the  circumstances,  how  information  within  a 
covered  entity  can  be  appropriately  used  and  the  protections  that 
should  apply.  Then  also  there  are  needs  for  others  outside  of  that 
covered  entity  to  access  that  information  and  then  to  clearly  define 
the  circumstances  under  which  that  will  occur  and  the  responsibil- 
ity on  those  outside  entities  or  individuals  in  terms  of  how  they  ap- 
propriately handle  the  information. 

Mr.  English.  I  would  like  to  get  your  reaction  to  some  general 
comments  that  were  sent  to  Secretary  Shalala  by  Pennsylvania's 
department  of  health.  They  put  forward  the  following  recommenda- 
tion. Even  though  the  intent  of  the  regulation  is  clear  concerning 
what  information  is  allowed  to  be  released  absent  individual  au- 
thorization, DOH  is  concerned  that  covered  entities  may  react  to 
the  regulations  by  overprotecting  information;  i.e.,  not  releasing  in- 
formation to  a  public  health  entity  for  one  of  more  of  the  above  pur- 
poses. 

This  would  undermine  the  intent  of  the  regulations  as  well  as 
core  public  health  functions.  DOH  will  engage  in  public  education 
efforts  and  request  that  HHS  take  similar  steps  to  make  sure  the 
intent  of  the  regulations  is  conveyed. 

Are  you  prepared  to  do  that  kind  of  a  public  education  effort? 

Dr.  Hamburg.  I  can  assure  you  that  the  concerns  raised  by  the 
Pennsylvania  Department  of  Health  will  be  looked  at  very  seri- 
ously. On  a  very  personal  basis,  I  was  New  York  City's  health  com- 
missioner for  six  years  prior  to  taking  this  job.  Many  of  the  issues 
they  raise  are  very  close  to  my  heart  and  I  have  seen  it  from  the 
other  side.  So  we  will  be  working  intensively  during  this  comment 
review  period  to  look  at  all  of  the  comments  that  come  in  and  to 
address  the  concerns.  But  I  can  assure  you  that  the  issues  that 
surround  the  issues  of  public  health  information  will  get  a  serious 
look. 

Mr.  English.  I  take  that  as  a  very  important  commitment. 
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One  other  recommendation  they  made,  they  recommend  that 
HHS  should  indicate,  perhaps  in  the  preamble  to  the  regulation, 
that  agencies  receiving  information  for  the  above — that  is  public 
health  function  purposes — remain  bound  by  existing  State  laws 
which  govern  the  use  of  such  information.  Do  you  agree  with  that 
and  are  you  prepared  to  respond? 

Dr.  Hamburg.  I  would  like  to  be  able  to  look  at  the  comment  be- 
fore responding  in  this  forum. 

Mr.  English.  Very  good.  My  time  has  expired,  Mr.  Chairman, 
and  I  will  hopefully  get  another  shot.  Thank  you. 

Chairman  Thomas.  Thank  the  gentleman.  Although  he  is  not 
now  a  member  of  the  subcommittee — his  party  rules  preclude  him 
from  doing  that^ — I  know  his  heart  is  always  with  us,  and  it  is  a 
pleasure  to  see  the  body  and  mind  attached  with  the  heart  today. 
So  the  gentleman  from  Maryland,  if  he  wishes  to  inquire. 

Mr.  Cardin.  Thank  you,  Mr.  Chairman.  I  thank  you  for  the  cour- 
tesy of  allowing  me  to  sit  in  on  this  panel.  This  is  a  very  difficult 
subject.  Secretary  Hamburg,  I  applaud  your  efforts  considering  the 
legislative  authority  that  we  gave  you.  It  is  difficult  to  do.  And  con- 
sidering the  amount  of  public  comment  that  you  have  received,  you 
are  finding  out  exactly  how  much  interest  there  is  out  there  and 
how  many  people  have  their  own  ideas  on  how  they  could  draft  pri- 
vacy legislation  as  it  relates  to  medical  records. 

One  thing  I  think  is  clear,  Mr.  Chairman,  and  that  is,  we  need 
a  bill.  It  is  wonderful  that  HHS  must  go  forward  with  a  regulation 
that  is  required  under  law.  But  ultimately,  it  is  going  to  be  impor- 
tant I  think  for  Congress  to  pass  the  framework  for  medical  pri- 
vacy, and  to  do  it  in  a  more  comprehensive  way  then  you  are  al- 
lowed to  do  under  the  regulation  that  has  been  submitted  to  you. 
Mr.  Chairman,  I  do  want  to  applaud  your  efforts  to  try  to  bring  out 
a  bill  on  a  bipartisan  basis  because  I  think  the  only  way  we  can 
do  this  is  in  a  bipartisan  way.  It  is  a  very  sensitive  issue  to  all  of 
our  constituents  and  it  cries  out  for  us  to  get  it  done  right. 

I  also  want  to  talk  just  one  minute,  if  I  might,  about  this  idea 
of  a  Federal  floor  and  people  concerned  about  preemption,  or 
whether  we  preempt  or  whatever.  I  think  that  is  the  wrong  way 
to  really  look  at  this.  We  need  national  standards  as  to  how  medi- 
cal records  should  be  kept  so  that  we  protect  the  identity  of  individ- 
uals. That  should  be  a  national  standard.  There  should  be  no  ques- 
tion about  that. 

The  States  are  clearly  going  to  be  involved.  There  is  public 
health  issues.  There  are  public  safety  issues,  and  we  need  to  make 
sure  the  States  have  the  ability  to  protect  their  citizens  where  it 
is  appropriate.  But  we  also  need  to  have  national  standards  as  to 
when  identifiable  information  can  be  made  available  for  research, 
or  when  it  can  be  made  available  for  pajnnent,  or  for  treatment.  I 
think  that  is  what  we  are  trying  to  get  at,  the  right  balance. 

So  the  question  I  have  for  you,  Secretary  Hamburg,  is  that  one 
of  the  issues  that  we  are  having  a  great  deal  of  difiiculty  is,  how 
do  you  enforce  whatever  standards  we  come  up  with?  How  have 
you  done  that  in  your  regulations  and  how  do  you  think  is  the  best 
way  for  us  to  make  sure  that  these  standards,  whatever  standards 
are  developed,  that  all  parties  that  are  affected  by  it  comply  with 
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the  standards?  And  how  do  you  go  about  making  sure  that  becomes 
reahty? 

Dr.  Hamburg.  There  are  a  set  of  enforcement  standards  that  I 
beheve  were  given  to  us  through  the  HIPAA  statute  in  terms  of  our 
opportunities  for  enforcement.  And  that  is  one  of  our  concerns,  one 
of  the  reasons  why  we  feel  that  in  fact  national  legislation  would 
provide  benefits  that  we  cannot  achieve  through  the  reg  process. 
There  are  both  civil  and  criminal  penalties  that  can  be  applied,  but 
in  truth,  the  enforcement  teeth  we  do  not  feel  are  fully  adequate. 

Mr.  Cardin.  So  will  you  be  coming  forward  to  us  with  rec- 
ommendations as  to  legislative  changes  as  it  relates  to  enforce- 
ment? 

Dr.  Hamburg.  We  are  hoping  to  be  working  closely  with  you  to 
develop  national  privacy  protection  legislation,  and  within  that  con- 
text addressing  the  issue  of  enforcement. 

Mr.  Cardin.  But  you  have  no  specific  recommendation  at  this 
time? 

Mr.  Claxton.  The  Secretary's  recommendations  in  1997  sug- 
gested that  we  thought  there  should  be  civil  money  penalties  for 
violations  criminal  penalties  for  knowing  and  wrongful  conduct. 
And  that  there  should  also  be  private  right  of  action  to  address  the 
rights  of  individual  whose  privacy  rights  were  violated  and  who 
suffer  damages. 

Mr.  Cardin.  This  should  all  be  Federal,  or  not? 

Mr.  Claxton.  We  thought  Federal  law  should  have  that  in  place, 
yes. 

Mr.  Cardin.  How  does  that  relate  to  State  enforcement? 

Mr.  Claxton.  States  would  have  their  own  penalties  if  they  had 
laws.  We  have  not  commented  on  the  level  of  State  penalties  that 
should  exist  as  far  as  I  know.  We  have  had  some  discussions  with 
respect  to  specific  issues  such  as  HIV  reporting,  but  nothing  broad. 

Mr.  Cardin.  I  take  it  an  awful  lot  depends  on  the  standards.  I 
know  I  am  asking  a  difficult  question,  but  I  think  it  is  important 
as  we  get  into  this  discussion  to  make  sure  that  whatever  system 
we  have  come  up  with  is  one  that  there  is  effective  enforcement  on 
so  that  we  can  in  fact  tell  our  constituents  that  we  are  not  only 
telling  in  law  the  standards  that  protect  their  medical  privacy  but 
that  it  can  be  enforced. 

Thank  you,  Mr.  Chairman. 

Chairman  Thomas.  Thank  the  gentleman.  I  find  it  ironic  that 
your  goal  for  Federal  legislation  is  to  make  sure  that  you  have  uni- 
form penalties  to  go  after  these  people,  but  the  standards,  the  col- 
lection of  data,  the  flow  of  data,  the  uses  of  the  data  above  what- 
ever minimum  structure  you  are  talking  about  would  not  be  af- 
forded the  same  level  of  concern.  The  gentleman  uses  the  term 
standards  and  I  have  no  quarrel  with  that  as  long  as  they  are  high 
enough  that  in  essence  they  produce  a  preemption  for  uniformity. 
I  My  goal  is  to  get  your  folks  to  look  at  the  need  for  standardiza- 
1  tion  on  the  other  side  of  the  ledger  as  to  how  you  deal  with  this 
information  and  not  just  the  side  of  the  ledger  that  makes  sure 
that  when  people  do  make  mistakes  in  confusing  crazy  quilt  struc- 
tures of  not  only  all  the  States  and  the  Federal,  but  that  you  can 
wham  them  with  a  real  good,  uniform  penalty.  I  think  it  has  to  be 
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evenhanded  on  both  sides  or  you  do  not  get  the  uniform  hammer 
if  you  do  not  provide  the  uniform  standard  codes  and  procedures. 

Dr.  Hamburg.  I  can  assure  you  we  have  heard  your  message  and 
we  understand  the  rationale  that  you  are  putting  forward.  I  think 
it  would  be  unfair  to  characterize  our  position  as  that  we  only  are 
interested  on  the  enforcement  side  for  national  standards.  We  very 
much  support  your  leadership  and  that  of  your  colleagues  in  terms 
of  pushing  for  national  legislation  that  will  provide  a  very  firm 
standard  both  for  how  data  is  utilized,  but  also  how  when  there  are 
transgressions  in  terms  of  appropriate  use,  we  can  enforce  appro- 
priate behavior. 

Chairman  Thomas.  My  goal  is  to  create  a  situation  in  which  my 
friend  Ben  Cardin  and  I  present  to  you  a  proposal  that  you  cannot 
refuse. 

The  gentleman  from  Washington. 

Mr.  McDermott.  Mr.  Chairman,  thank  you.  I  want  to  clarify 
something  because  in  listening  to  the  chairman's  questions  at  one 
point  it  sounded  as  though  States  could  erect  barriers  against  le- 
gitimate national  purposes,  and  my  understanding  is  that  your  reg- 
ulation clearly  makes  Federal  preemption  in  key  national  priority 
areas,  including  oversight  and  research  and  public  hesdth,  that 
these  are  areas  where  the  Federal  Government  is  preeminent  in 
those  issues.  Is  that  correct,  that  they  can  override  a  lesser  State 
or  an  obstructive  State  issue? 

Mr.  Claxton.  In  the  case  where  there  is  already  a  requirement 
under  Federal  law  to  allow  access  or  make  reporting  there  is  noth- 
ing in  the  regulation  which  would  resurrect  a  State  barrier  to  a 
Federal  law. 

Mr.  McDermott.  So  the  States  could  not  use  regulation  in  some 
way  that  they  could  get  around  the  Federal  regulation? 

Mr.  Claxton.  No.  For  example,  there  is  nothing  about  our  regu- 
lation that  makes  a  State  law  applicable  to  an  ERISA  plan,  be- 
cause they  already  have  Federal  preemption. 

Mr.  McDermott.  So  you  are  sa5dng  that  the  purpose  of  the  Con- 
gress; that  is,  looking  at  fraud  and  other  medical  errors  and  so 
forth,  no  State  could  pass  a  law  that  would  prevent  us  from  getting 
the  information  to  do  those  kinds  of  researches? 

Mr.  Claxton.  As  long  as  the  Federal  priority  was  manifested 
through  a  requirement  on  a  provider.  If  a  provider  has  a  choice 
now,  the  State  law  could  affect  that  provider's  choice.  But  the  pro- 
vider in  that  case  would  not  have  had  to  comply  with  the  Federal 
request  anyway. 

Mr.  McDermott.  Now  there  is  another  area  where  it  seems  to 
me  that  there  is  a  lot  of  uncertainty,  this  whole  business  of  the 
pharmacy  benefit  managers,  and  pharmacy  programs,  and  disease 
management.  These  are  programs  that  are  new.  I  mean,  they  have 
been  going  for  the  last  four  or  five,  or  maybe  eight  or  nine  years, 
and  they  gather  enormous  data  about  what  people  are  taking  in 
this  country.  Therefore,  you  could  extrapolate  what  their  disease 
may  be.  A  lot  of  people  are  concerned  about  their  ability  to  have 
that  data  and  use  it  in  a  variety  of  ways. 

Tell  me  what  you  did  here,  and  did  you  consider  making  it  a  re- 
quirement that  before  these  entities  could  use  this  information  they 
had  to  have  a  check-off  from  the  patient  that  they  wanted  to  be 
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given  mailings  about  X,  Y,  or  Z?  If  you  have  diabetes,  the  phar- 
macy knows  that  you  have  diabetes.  Now  you  then  are  subject  to 
having  that  spread  all  over  the  place  for  whatever  anybody  can 
think  of  that  they  ought  to  be  doing  for  you.  Did  you  consider  put- 
ting a  restriction  or  a  requirement  for  a  positive,  I  want  to  get  fur- 
ther information? 

Dr.  Hamburg.  With  respect  to  the  issues  you  raise,  again  we  are 
getting  lots  of  comments,  different  interpretations,  people  mean  dif- 
ferent things  when  they  say  disease  management  programs,  for  ex- 
ample, so  that  there  is  going  to  be  a  lot  of  sorting  out.  But  as  long 
as  within  a  covered  entity  information  is  being  used  as  part  of  the 
ongoing  care  and  treatment  of  that  individual  it  does  not  require 
a  specific  patient  authorization.  If  it  is  being  used  to  send  out  mail- 
ings to  market  new  drugs,  et  cetera,  that  would  be  an  inappropri- 
ate use. 

Mr.  McDermott.  And  that  is  for  medical  devices  and  ever3^hing 
else?  An3rthing  anybody  would  use  that  for  a  marketing  tool,  it  is 
prevented  unless  there  is  a  specific — 

Mr.  Claxton.  What  you  said  is  right.  I  think  the  difficult  issue 
is  trying  to  address  a  situation  where  a  provider  is  rightfully  trying 
to  make  his  or  her  patient  aware  of  new  information  or  new  prod- 
ucts that  might  be  beneficial  to  that  patient  and  where  they  are  ac- 
tually engaged  in  marketing  where  the  provider  is  relatively  indif- 
ferent but  just  saying,  here  is  someone  who  might  be  interested. 
Those  are  hard  lines  to  draw.  We  are  going  to  look  at  the  com- 
ments and  do  our  best. 

But  the  distinction  between  disease  management  and  marketing 
is  not  clear  every  time,  but  it  is  I  think  something  people  feel  very 
strongly  about  being  able  to  distinguish.  It  might  be  that  the  physi- 
cian has  a  fairly  key  role  to  play  in  that  and  we  have  heard  from 
various  sides  on  this  and  expect  to  hear  a  lot  more. 

Mr.  McDermott.  If  the  contract  that  the  HHS  wants  between 
the  covered  entities  and  the  contractual  ones,  the  business  part- 
ners, is  that  possible  to  handle  that  by  having  a  standard  contract 
that  you  people  would  draw  up  and  put  out  there  so  that  each  one 
of  the  partners  or  each  one  of  the  entities  covered  would  have  in 
hand  something  to  hand  to  a  business  partner  and  say,  sign  this? 

Dr.  Hamburg.  I  think  that  there  are  so  many  differing  types  of 
partners  and  the  requirements  in  terms  of  the  working  business  re- 
lationship involve  different  kinds  of  elements — not  all  the  business 
partners  are  doing  the  exact  same  things — that  it  is  unlikely  that 
we  would  develop  standard  model  contract  language.  We  could  cer- 
tainly identify  the  critical  elements  of  understanding  about  how 
data  would  be  handled,  and  the  expectations  should  be  explicit  and 
will  be. 

We  are  certainly  open  to  examining  the  question,  but  I  think 
model  contract  language  would  not  be  the  primary  approach  be- 
cause they  are  not  cookie  cutter  kinds  of  relationships  where  one 
size  fits  all.  But  understanding  the  elements  that  need  to  be  in- 
cluded should  be  explicitly  defined. 

Mr.  McDermott.  Thank  you,  Mr.  Chairman. 

Chairman  Thomas.  The  gentleman  from  Pennsylvania  with  to 
further  inquire? 


38 


Mr.  English.  Yes,  thank  you,  Mr.  Chairman.  Secretary  Ham- 
burg, within  your  proposed  regulation,  Section  160.204  outlines  the 
process  for  requesting  exception  determinations,  and  subsection  A.l 
outlines  the  process  by  which  a  State  may  request  an  exception  for 
a  particular  State  law.  Our  State  department  of  health  has  charac- 
terized this  process  as  particularly  burdensome  given  the  multiple 
confidentiality  laws  that  exist  in  Pennsylvania. 

I  am  not  as  familiar  with  what  other  States  have,  but  for  Penn- 
sylvania this  section  would  require  multiple  requests  for  exception. 
They  argue,  the  department  of  health  argues  that  request  for  ex- 
ception should  be  required  only  when  a  challenge  is  brought 
against  a  particular  State  law.  The  presumption  should  lie  with 
State  laws. 

What  was  your  philosophy  in  crafting  this  provision,  and  how  do 
you  assess  the  merits  of  the  department  of  health's  argument? 

Dr.  Hamburg.  I  think  I  will  ask  Mr.  Claxton  to  address  that  as 
he  was  intimately  involved — 

Mr.  English.  Mr.  Claxton? 

Mr.  Claxton.  Thank  you.  The  HIPAA  itself  sets  forth  certain 
areas  where  State  law — ^where  the  Secretary  has  to  make  a  deter- 
mination whether  or  not  certain  State  laws  are  in  conflict.  We  tried 
to  carry  out  that  section  as  it  was  in  HIPAA.  We  have  gotten  a  fair 
number  of  inquiries  about  this  and  tried  to  clarify  it  and  we  are 
going  to  look  at  the  comments.  To  some  large  extent  I  think  we  are 
constrained  by  what  the  statute  says,  which  is  that  the  Secretary 
can  make  a  determination  with  respect  to  State  laws  in  certain 
areas, 

Mr.  English.  I  will  accept  that  and  I  would  appreciate  any  fur- 
ther response  you  might  want  to  provide  in  writing. 
Mr.  Claxton.  Certainly. 

Mr.  English.  Subsection  A.4  limits  the  length  of  time  for  an  ex- 
ception to  three  years  explicitly.  I  would  question  why  it  would  be 
necessary,  if  there  has  been  no  change  in  State  law,  to  require 
States  to  reapply  for  exceptions.  Do  you  have  a  policy  reason  for 
doing  that? 

Mr.  Claxton.  I  do  not  recall  why  that  is  there.  We  will  be  happy 
to  respond  in  writing. 

Mr.  English.  If  you  would  be  willing,  I  would  appreciate  a  re- 
sponse in  writing  on  that  point  as  well. 

Finally,  Dr.  Hamburg,  in  HIPAA  the  Secretary  was  instructed  to 
promulgate  regulations  that  are  "consistent  with  the  goals  of  im- 
proving the  operation  of  the  health  care  system  and  reducing  ad- 
ministrative costs."  Several  of  the  department's  provisions  signifi- 
cantly increase  the  amount  of  administrative  procedures  for  cov- 
ered entities. 

For  example,  requiring  the  review  of  each  protected  health  infor- 
mation request  in  order  to  ensure  that  "minimum  necessary  stand- 
ard", requiring  significant  allocation  of  resources  to  contract  with 
and  monitor  business  partners.  Do  you  not  think  that  these  re- 
quirements would  significantly  increase  the  administrative  burden 
for  health  care  organizations,  and  is  there  a  better  way  to  do  this? 

Dr.  Hamburg.  I  think  in  shaping  the  proposed  reg  we  have  tried 
very  hard  to  balance  what  systems  need  to  be  put  in  place  to  afford 
appropriate  protection  with  trjdng  to  avoid  undue  burden.  As  we 
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have  looked  at  some  of  the  elements  that  you  refen^ed  to.  our  sense 
is  that  while  it  would  add  in  some  cases  additional  administrative 
acti\ities  and  some  new  burden,  that  in  fact  in  teims  of  overall 
costs  our  estimates  suggest  it  would  be  less  than  one-tenth  of  1 
percent  of  overall  spending  for  health  care  when  you  break  it  dowTi 
on  a  per-patient  basis.  It  really  is  not  an  overwhelming  additional 
cost. 

You  have  to  think  about  it  in  terms  of  the  additional  benefits 
that  would  accrue  in  tenns  of  impro\ing  quality  of  care,  reducing 
the  hkelihood  that  indi\aduals  would  not  seek  appropriate  medical 
evaluation  and  treatment  because  of  fears  of  their  important,  sen- 
sitive health  information  being  misused.  So  it  is  a  ver>'  difficult  bal- 
ancing act. 

One  of  the  things  that  we  are  going  to  look  at  veiy  carefully  as 
we  re\'iew  the  comments  are  the  inputs  that  have  come  in  concern- 
ing this  issue  because  we  want  this  to  be  workable.  It  is  a  bal- 
ancing act  and  it  is  ver>^  complicated,  as  we  all  recognize,  but  it  is 
an  area  of  major  focus  and  concern  and  it  'v^i.ll  be  reflected  in — 

Mr.  English.  And  I  very  much  appreciate  that.  Let  me  say.  I  am 
ver>^  sensitive  to  the  enormous  paperwork  burden  we  are  already 
putting  on  health  care  organizations  which  is  distorting  some  of 
their  decisions  and  ha%ing  an  indirect  and  sometimes  hidden  insid- 
ious efi'ect  on  the  quahty  of  health  care  in  this  country.  So  if  there 
is  a  way  of  reducing  that  paperwork  burden  as  you  put  for^vard 
these  regulations  I  think  we  should  be  sensitive  to  that  as  well. 

Thank  you,  Mr.  Chairman,  and  I  appreciate  the  opportimity  to 
inquire. 

Chairman  Tho:nl\s.  Thank  the  gentleman.  As  I  stated  earlier, 
any  written  questions  that  any  members  want  to  submit,  we  will 
leave  it  open  till  the  close  of  business  because  there  may  be  addi- 
tional questions  that  need  to  be  asked.  In  listening  to  the  gentle- 
man's questions,  a  number  of  in di\d duals  would  be  emious  of  your 
abiht}'  to  inquire  on  behalf  of  the  State  of  Pennsylvania  because  if 
this  goes  into  efi'ect  I  am  quite  sure  there  are  a  number  of  indi\'id- 
uals  who  would  love  to  ask,  which  is  stricter,  the  Federal  or  the 
State,  and  create  some  degree  of  comfort  that  they  are  doing  the 
right  thing.  When  I  realized  that  the  outer  edges  of  this  is  ulti- 
mately is  going  to  be  enforced  by  trial  lawyers,  it  should  give  us 
all  pause. 

Thank  you  very  much.  Good  luck  in  firming  it  up.  I  hope  we  see 
a  product  prior  to  the  ongoing,  and  counting,  seven  years  of  at- 
tempting to  write  a  final  regulation  for  Stark  II.  You  are  going  to 
need  all  the  help  you  can  get.  Thank  you  very  much,  Dr.  Hamburg, 
Mr.  Claxton. 

Dr.  Hamburg.  Thank  you. 

Chairman  Tho^l\s.  The  next  panel,  which  I  guess  on  an  issue 
hke  this  could  extend  for  row  after  row  after  row  of  \\dtnesses  who 
believe  they  are  going  to  be  impacted  by  this  regulation,  and  ohvi- 
ously  our  inabihty  to  accommodate  it,  I  do  believe  that  we  have  got 
a  pretty  good  cross-section  with  this  panel.  We  have  Dr.  William 
Plested  who  is  a  member  of  the  board  of  trustees  of  the  American 
Medical  Association,  ob\dously  an  interested  party;  Ms.  Alissa  Fox, 
executive  director  for  legislative  poHcy,  Blue  Cross-Blue  Shield; 
Janlori  Goldman,  director  of  the  health  privacy  project,  Institute 
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for  Health  Care  Research  and  PoUcy  at  Greorgetown  University; 
Mary  Grealy,  president,  Healthcare  Leadership  Council,  a  consor- 
tium of  a  number  of  interested  partes;  and  then  Dr.  Stephen  Ober, 
who  is  president  and  chief  executive  officer  of  S3niergy  from  Wal- 
tham,  Massachusetts  who  is  an  active  player  in  the  transmission 
of  data  and  who  had  quite  interesting  testimony. 

Dr.  Plested,  we  will  just  start  with  you  and  then  move  across  the 
panel.  Your  written  testimony  will  be  made  a  part  of  the  record 
and  you  can  address  us  in  the  time  that  you  have,  which  will  be 
five  minutes,  to  give  us  any  flavor  of  your  concern,  interest,  pas- 
sion, et  cetera. 

STATEMENT  OF  WILLIAM  G.  PLESTED,  HI,  M.D.,  MEMBER, 
BOARD  OF  TRUSTEES,  AMERICAN  MEDICAL  ASSOCIATION 

Dr.  Plested.  Mr.  Chairman  and  members  of  the  committee,  my 
name  is  Dr.  Bill  Plested.  I  am  a  practicing  vascular  surgeon  from 
Santa  Monica,  California,  and  a  member  of  the  AMA  Board  of 
Trustees.  It  is  an  honor  to  appear  before  your  committee  again. 

Thank  you  for  inviting  the  AMA  to  speak  to  you  today  on  an 
issue  of  overwhelming  importance,  not  only  to  physicians,  but  to 
every  person  who  finds  him  or  herself  as  a  patient.  That  is,  protect- 
ing the  confidence  and  trust  that  patients  place  in  us. 

Trust  is  the  foundation  of  the  patient/physician  relationship.  My 
patients  assume  that  the  private  information  they  discuss  with  me 
will  be  used  to  benefit  them,  not  to  benefit  anyone  else  who  may 
find  a  way  to  profit  from  their  personal  information. 

Frankly,  we  see  signs  that  patient  records  are  becoming  items  of 
commerce.  With  many  groups  clamoring  for  unfettered  access  to 
fulfill  some  alleged  compelling  need.  But  perceived  need  is  not  a 
right. 

Let  me  emphasize  that,  a  need  is  not  a  right. 

Every  business,  every  company,  every  government  body  that 
wants  patients  private  information  must  be  required  to  make  its 
case  to  the  American  people  as  to  why  its  professed  need  should 
override  people's  most  basic  right  to  keep  their  medical  information 
private.  This  is  AMA  policy,  and  this  is  the  approach  that  we  have 
adopted  in  our  comment  letter  to  the  Secretary  of  Health  and 
Human  Services,  in  response  to  her  proposed  rule  on  patient  pri- 
vacy. 

First,  we  are  concerned  about  access  to  patient  records  without 
patient's  consent,  usually  without  their  knowledge.  If  medical 
records  were  stored  in  our  homes,  we  would  have  all  kinds  of  pro- 
tections, the  Fourth  Amendment  or  civil  and  criminal  laws,  to  keep 
others  from  getting  and  using  our  information  without  our  permis- 
sion. Today,  patients  are  forced  to  share  private  medical  informa- 
tion in  order  to  get  the  very  help  that  they  need.  In  doing  so,  they 
are  vulnerable  to  exploitation  by  unrelated  third  parties  looking 
simply  for  profit. 

Physicians  are  imable  to  stem  this  tide.  We  think  the  Secretary's 
regulation  makes  this  situation  worse  and  this  is  unacceptable. 

The  Secretary  identifies  a  series  of  "national  priorities"  where  pa- 
tients' private  medical  information  would  be  used  without  their 
consent.  In  fact,  most  of  these  can  be  accomplished  using  de-identi- 
fied or  aggregate  information. 
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If  some  information  must  be  individually  identified,  the  first 
question  we  should  ask  should  be  why  not  get  the  patient's  con- 
sent? Are  we  concerned  that  a  truly  informed  patient  would  not 
give  his  or  her  consent?  This  should  certainly  give  us  pause. 

On  the  other  hand,  if  it  is  not  feasible  to  obtain  consent,  there 
shoiild  be  an  objective,  accountable  way  to  make  this  decision  for 
the  patient  who  is  unable  to  do  so.  If  someone  wanted  access  to 
your  medical  information,  would  you  not  want  to  know  why  do  they 
need  to  know  who  I  am?  Do  they  truly  need  information  linked  to 
my  name?  What  is  the  alleged  benefit  and  who  stands  to  profit  by 
getting  personal  information?  What  risk  am  I  exposed  to  if  such  in- 
formation is  disclosed?  What  kind  of  security  measures  are  in  place 
to  protect  my  records  and  make  sure  that  people  use  them  in  the 
way  they  said  they  would  or  that  unauthorized  people  do  not  have 
access? 

Such  a  system  already  exists  in  Federally  funded  research  pro- 
grams. The  Secretar/s  proposed  rule  would  expand  such  an  eval- 
uation to  all  research,  regardless  of  who  is  funding  this,  and  this 
is  good.  But  it  needs  to  be  expanded.  So-called  health  care  oper- 
ations that  do  not  benefit  a  specific  patient  require  especially  close 
scrutiny. 

Second,  we  must  comment  on  the  irony  that  all  these  new  admin- 
istrative burdens  and  documentation  requirements  proposed  by  the 
Secretary  are  the  result  of  so-called  administrative  simplification. 
The  physicians  of  America  are  buried  in  paper  with  less  and  less 
time  to  spend  with  our  patients.  We  object  in  the  strongest  terms 
to  the  bureaucratic  school  of  thought  reflected  yet  again  by  the  Sec- 
retar5^s  proposal  that  requires  extensive  and  repetitive  documenta- 
tion. This  kind  of  redundant  paperwork  requirement  is  for  the  ease 
of  bureaucrats,  not  for  physicians,  and  certainly  not  for  patients. 

This  burden  would  be  especially  difficult  for  smaller  sized  physi- 
cians' ofiices.  These  paperwork  and  administrative  requirements 
need  to  be  completely  rethought  and,  if  they  are  implemented  at 
all,  they  should  have  a  more  realistic  and  flexible  information  ap- 
proach for  all  physicians'  offices. 

Let  me  sum  up  by  getting  back  to  our  basic  point.  The  patient/ 
physician  relationship  is  all  about  trust.  It  must  be  fiercely  pro- 
tected. Privacy  is  a  precious  right.  Once  it  is  lost,  it  can  never  be 
retrieved.  We  must  remain  focused  on  the  patient  as  our  first  con- 
cern in  any  Federal  approach  to  medical  records  privacy  and  con- 
fidentiality. 

Thank  you  again  for  the  opportunity  to  present  the  AMA's  view- 
point today. 

[The  prepared  statement  follows:] 

Statement  of  William  G.  Plested,  III,  M.D.,  Member,  Board  of  Trustees, 
American  Medical  Association 

The  American  Medical  Association  (AMA),  representing  approximately  300,000 
physicians  and  medical  student  members,  appreciates  the  opportunity  to  submit  tes- 
timony to  the  Health  Subcommittee  of  the  Ways  and  Means  Committee  regarding 
an  issue  central  to  the  patient-physician  relationship:  protecting  patient  confiden- 
tiality. We  particularly  appreciate  the  chance  to  share  with  you  our  concerns  regard- 
ing the  Secretary  of  Health  and  Human  Services'  (HHS)  proposed  rule  on  patient 
privacy,  for  which  public  comments  are  due  today  ("Proposed  Standards  for  Privacy 
of  Individually  Identifiable  Health  Information,"  45  CFR  Parts  160  through  164,  64 
Fed.  Reg.  59917  (November  3,  1999)). 
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Personal  health  information  is  used  by  various  entities  in  the  health  care  delivery 
system,  including  hospitals  and  health  plans,  for  purposes  beyond  direct  treatment 
planning  and  claims  pa5mient.  Each  of  these  entities  argues  it  needs  patient-identifi- 
able health  information  to  achieve  its  legitimate  objective;  most  believe  they  do  not 
need  explicit  patient  consent  to  receive  and  use  such  information.  That  philosophy 
is  reflected  in  the  Secretary's  proposed  rule  and  preamble.  It  is  a  philosophy  rejected 
by  the  AMA. 

The  AMA  has  consistently  maintained  that  an  expressed  "need"  for  information 
does  not  confer  a  right.  Patient  consent  continues  to  be  a  critical  consideration  in 
the  use  and  disclosure  of  personally  identifiable  health  information.  Consistent  with 
AMA's  basehne  philosophy  regarding  individual  privacy  rights,  informed  consent 
should  be  obtained,  where  possible,  before  personally  identifiable  health  information 
is  used  for  any  purpose.  However,  this  is  clearly  not  practical  or  even  possible  in 
some  instances.  In  those  situations  in  which  patient  consent  is  not  feasible,  either 
(a)  the  information  should  have  identifying  information  stripped  fi-om  it  or  (b)  an 
objective,  publicly-accountable  entity  must  conclude  that  patient  consent  is  not  re- 
quired after  weighing  the  risks  and  benefits  of  the  proposed  use.  A  local  review 
board  system  has  already  been  adopted  successftdly  by  several  parties  to  the  health 
care  system,  including  physicians,  some  researchers,  a  few  health  plans,  and  others. 

Some  parties  may  reject  this  principle  as  too  deferential  to  patients'  rights  at  the 
expense  of  administrative  feasibiUty.  The  AMA  believes  that  this  approach  properly 
balances  the  interests  at  stake.  Furthermore,  it  is  the  right  thing  to  do.  At  a  time 
when  the  American  public  is  looking  to  its  leaders  for  a  strong  stand  on  patients' 
rights,  any  other  policy  fails  patients,  their  families  and  their  caregivers. 

The  AMA  cannot  support  the  proposed  HHS  regulation  on  patient  privacy  in  its 
current  form.  The  complexity  of  the  task,  compounded  by  the  inherent  restrictions 
imder  the  Health  Insurance  Portability  and  Accountability  Act's  (HIPAA)  hmited 
grant  of  regulatory  authority,  have  resulted  in  a  proposed  regulation  that  does  not 
adequately  protect  patient  confidentiality  and  privacy  and  that  substantially  and 
unacceptably  increases  administrative  burdens  for  physicians. 

The  AMA's  overarching  concerns  are  as  follows: 

•  that  patients'  confidential  information  could  be  disclosed  without  their  consent 
for  a  broad  array  of  purposes  unrelated  to  the  patient's  individual  treatment  or  pay- 
ment and  extending  far  beyond  the  necessary  disclosures  and  uses  patients  would 
expect  when  they  seek  health  care; 

•  that  many  holders  of  patient  information  who  may  misuse  such  information 
would  not  be  held  accountable  under  the  proposed  regulation,  despite  attempts  to 
bring  them  within  regulatory  reach  by  compelling  physicians  and  other  covered  enti- 
ties to,  in  effect,  "police"  them; 

•  that  physicians  will  be  held  Hable  for  the  uncontrollable  misdeeds  of  their  "busi- 
ness partners,"  although  the  physicians  themselves  are  in  compliance  with  the  regu- 
lation's provisions; 

•  that  the  administrative  burden  and  costs  of  implementing  the  proposed  regula- 
tion have  not  been  adequately  calculated,  and  would  have  a  disproportionate  impact 
on  small  physician  offices;  and 

•  that  the  proposed  rule  contradicts  the  intention  of  its  legislative  directive  under 
HIPAA  to  "simplify"  health  care  administration  and  reduce  costs,  and  does  not  im- 
prove patients'  expectation  of  privacy  in  the  health  care  system. 

Applicability 

The  proposed  regulation  does  not  cover  a  broad  spectrum  of  entities  that  are  posi- 
tioned to  disclose  and  misuse  confidential  patient  information.  The  AMA  finds  unac- 
ceptable the  Secretarjr's  attempt  to  "fill  the  gap"  in  its  legislative  authority  by  re- 
quiring physicians  and  other  health  care  practitioners  to,  in  effect,  "police"  others 
who  should  be  held  accountable.  Such  a  proposal  is  not  only  inherently  unfair,  it 
is  gdso  ineffective  insofar  as  patients  may  be  left  without  any  recourse  against  a 
party  who  wrongfully  discloses  or  misuses  their  confidential  medical  information. 

General  rules 

The  proposed  regulation  seemingly  is  more  concerned  with  facilitating  the  ease  of 
information  flow  for  the  broadly  defined  purposes  of  treatment,  pa3mient,  and  health 
care  operations  than  it  is  with  protecting  patients'  confidentiality  and  privacy  inter- 
ests. AMA's  policy  states  that  "[cjonflicts  between  a  patient's  right  to  privacy  and 
a  third  party's  need  to  know  should  be  resolved  in  favor  of  patient  privacy."  In  the 
AMA's  view,  the  general  rule  should  begin  with  preserving  confidentiality  and  pri- 
vacy and  allowing  disclosure  only  when  it  is  ethically  and  legally  justified. 
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Scalability — The  AMA  applauds  the  Secretary's  recognition  that  a  "single  ap- 
proach to  implementation  of  these  requirements  would  be  neither  economically  fea- 
sible nor  effective  in  safeguarding  health  information  privacy."  Though  we  appre- 
ciate the  flexibiUty  physicians  and  other  health  care  practitioners  will  be  accorded 
in  implementing  this  proposed  regulation,  we  are  concerned  that  a  lack  of  clear 
guidance  inevitably  will  lead  to  costly  disputes  about  comphance. 

Minimum  necessary  use  and  disclosure — We  agree  with  the  Secretary's  goal  of 
precluding  wholesale  transfers  of  complete  medical  records  when  only  a  small  por- 
tion is  pertinent  to  the  patient's  current  treatment,  but  beUeve  the  proposed  rule's 
solution  may  be  imworkable.  In  crafting  a  solution  to  the  question  of  limiting  disclo- 
sures, we  recommend  a  requirement  for  requesters  to  make  the  "minimum  nec- 
essary demand."  While  physicians  could  certainly  engage  the  requester  in  a  dialogue 
regEirding  what  specific  information  might  be  needed  in  any  given  instance,  the  H- 
abihty  woiild  be  on  the  requester  for  seeking  prohibited  information,  rather  than  on 
the  physician  for  not  adequately  divining  the  motivations  of  the  requester. 

Creation  of  De-Identified  Information — The  AMA  favors  any  provisions  of  the  rule 
that  would  have  the  effect  of  creating  incentives  to  "de-identify"  medical  informa- 
tion. However,  we  beUeve  the  proposed  rule  would  actually  create  a  disincentive  to 
de-identify  information.  We  recommend  revising  the  list  of  "identifiers"  to  be  re- 
moved from  the  medical  record,  combined  with  an  expHcit  prohibition  against  'link- 
ing" or  re-identifying  without  authorization.  This  will  provide  entities  with  a  greater 
incentive  to  de-identify  information,  while  holding  wrongdoers  properly  accountable. 

Business  partners — The  AMA  strongly  objects  to  the  proposed  rules  approach  of 
holding  physicians  and  other  covered  entities  responsible  for  certain  violations  of  the 
rule's  requirements  by  their  business  partners.  As  a  matter  of  fairness,  the  proposal 
fails.  A  physician  group,  for  example,  could  be  subject  to  the  full  weight  of  enforce- 
ment and  sanctions  under  the  regulation  for  prohibited  activity  by  its  business  part- 
ners, even  if  the  group  had  no  knowledge  or  control  over  the  practices  of  its  business 
partner.  The  AMA  objects  to  these  provisions  because  they  present  the  potential  for 
significant  liability  for  physicians  who,  themselves,  are  complying  with  the  regula- 
tion's requirements. 

Component  entities — ^We  beUeve  the  proposed  regulation  should  be  modified  to  ex- 

Eressly  recognize  the  necessity  of  firewalls  within  businesses  or  entities  that  provide 
ealth  care  as  a  non-core  function.  Examples  might  be  school  health  clinics,  on-site 
employee  health  services  offered  by  businesses  or,  employers  who  operate  self-fund- 
ed nealth  plans  for  their  employees.  We  are  particularly  concerned  about  this  last 
category;  pubUc  polling  indicates  that  people  are  deeply  concerned  that  their  em- 
ployers are  inappropriately  accessing  their  private  medical  information.  Our  key 
concern  in  these  instances  is  in  assuring  that  firewalls  exist  between  the  health  pro- 
vider function  and  all  other  elements  of  the  entity. 

Uses  and  disclosures  with  individual  authorization 

The  AMA  strongly  supports  a  requirement  for  an  individual's  authorization  for 
most  uses  of  his  or  her  identifiable  health  information.  The  Secretary  notes,  and  the 
AMA  agrees,  that  individuals  generally  do  not  recognize  that  their  information  may 
be  used  for  a  multitude  of  purposes  beyond  their  individual  care  and  payment  for 
that  care.  This  fact  imderUes  the  AMA's  advocacy  for  a  consent  requirement  for 
most  uses  of  an  individual's  private  health  information. 

We  strongly  object  to  the  provision  that  would  prohibit  physicians  from  seeking 
their  patients'  authorization  for  treatment,  payment  or  health  care  operations.  This 
provision  flies  in  the  face  of  medical  ethics  and  directly  contradicts  the  Secretaries 
expressed  intent  in  the  preamble,  and  should  be  deleted  from  the  rule. 

Uses  and  disclosures  for  treatment,  payment  and  health  care  operations  without  pa- 
tient authorization 

The  AMA  questions  the  Secretary's  rationale  for  choosing  to  construe  the  terms 
"treatment"  and  "payment"  so  broadly.  The  definition  of  "treatment,"  for  example, 
would  include  cost  containment  mechanisms  such  as  case  and  disease  management 
that  go  to  managing  the  costs  of  populations,  rather  than  the  health  care  of  an  indi- 
vidual. 

Patients  reasonably  expect  that  the  treatment  rendered  by  their  physician  will  be 
revealed  to  their  health  plan  or  other  insurer  to  pay  the  claim  for  benefits.  However, 
patients  do  not  expect,  nor  do  they  welcome,  unauthorized  access  to  health  informa- 
tion disclosed  in  the  context  of  a  confidential  relationship  for  the  wide  range  of  pur- 
poses HHS  beUeves  to  be  somehow  "compatible  with  and  directly  related"  to  treat- 
ment or  payment. 

The  AMA  strongly  opposes  any  "disease  management"  language  in  the  proposed 
rule  that  is  not  qualified  by  requiring  the  coordination  and  cooperation  of  the  indi- 
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vidual's  physician.  Patients  should  have  the  right  to  consent  to-or  refuse-participa- 
tion in  disease  management  programs  offered  by  providers  and  plans. 

The  diversity  of  proposed  uses  for  information  advocated  by  various  groups  illus- 
trates the  inherent  difficulty  in  addressing  these  evolving  functions  within  any  stat- 
ic legislative  or  regulatory  definition.  We  recommend  application  of  the  controlling 
rule  iterated  throughout  AMA's  comment  letter:  informed  consent  should  be  ob- 
tained before  personally  identifiable  health  information  is  used  for  any  purpose.  For 
those  many  ftmctions  or  circumstances  for  which  patient  consent  is  not  feasible,  the 
information  would  either  have  to  be  de-identified  to  be  used,  or  the  decision  regard- 
ing its  use  without  patient  consent  would  be  made  by  an  objective,  publicly-account- 
able process  that  weighs  the  risks  against  the  benefits  of  the  proposed  use.  This 
should  apply  to  all  operational  uses  of  personally  identifiable  health  information 
that  do  not  go  directly  to  the  individual's  specific  care,  as  well  as  research  projects 
that  fall  outside  the  purview  of  an  IRB  process. 

Right  to  restrict — ^We  beHeve  the  "right  to  request  restriction"  is  an  unworkable 
"consolation  prize"  for  patients  who  have  had  their  right  to  consent  taken  away  fi'om 
them  by  government  fiat.  In  addition  to  its  ethical  flaws,  we  beheve  that  offering 
a  right  to  restrict  presents  the  potential  to  drive  a  wedge  between  patients  who 
want  to  impose  further  restrictions  and  providers  who  cannot  agree  to  such  arrange- 
ments due  to  the  overwhelming  administrative  burdens  and  potential  liability  that 
such  individual  arrangements  would  entail. 

Permissible  uses  and  disclosures  for  purposes  other  than  treatment,  payment  and 
health  care  operations 

The  preamble  notes  that  certaiin  "national  priority"  activities,  as  well  as  the 
"smooth  functioning  of  the  health  care  system,"  require  the  extensive  use  of  individ- 
ually identifiable  health  information.  The  AMA  believes  that  the  proposed  rule 
weighs  far  too  heavily  in  favor  of  those  who  seek  access  to  patients'  private  medical 
information  (often  the  government),  with  inadequate  deference  paid  to  patients'  fun- 
damental right  of  privacy. 

Public  health — While  mindful  that  we  should  not  create  unduly  restrictive  bar- 
riers for  public  health  researchers  to  access  information,  the  AMA  beUeves  that  epi- 
demiologic research  on  public  health  and  problems  should  be  guided  by  the  same 
principles  for,  and  safeguards  on,  privacy  and  confidentiality  that  apply  to  all  other 
medical  research.  These  breaches  in  confidentiality  for  a  public  health  purpose  are 
no  different  from  any  other  breach  of  a  patient's  confidentiality  that  benefits  others 
beside  the  patient,  barring  imminent  public  health  emergencies. 

Health  oversight  agencies — The  AMA  agrees  with  the  Secretary  that,  generally, 
oversight  activities  are  important  to  support  national  priorities;  however,  we  believe 
that  a  majority  of  these  activities  could  be  conducted  in  a  manner  that  is  less  intru- 
sive and  more  sensitive  to  the  need  to  protect  confidential  patient  information.  We 
believe  that  the  definition's  sweeping  inclusion  of  virtually  all  government  agencies 
that  may  have  any  connection,  albeit  remote,  to  health  care  may  result  in  wide- 
spread fishing  expeditions  for  confidential  patient  information.  Even  more  troubling, 
is  that  the  proposed  regulation  promotes  such  access  knowing  that  there  are  few 
safeguards  in  place  to  protect  against  the  government's  wrongful  disclosure  or  use. 

The  AMA  strenuously  objects  to  the  seemingly  unfettered  and  unauthorized  ac- 
cess governmental  agencies  will  be  accorded  under  the  proposed  regulation  as  it  is 
currently  drafted.  We  recommend  that  if  identifiable  information  is  used,  it  should 
be  accompanied  by  a  Hmitation  on  further  uses  or  access  by  other  entities.  Our  chief 
concern  here  is  that  access  by  health  oversight  agencies  does  not  become  a  "back- 
door" for  law  enforcement  access. 

Judicial  and  Administrative  Proceedings — While  the  AMA  supports  the  general 
provisions  of  this  section,  we  recommend  strengthening  the  language  to  increase  ob- 
jectivity and  to  limit  subsequent  unauthorized  use  and  re-disclosure.  An  order  by 
a  court  or  administrative  law  judge  provides  some  opportunity  for  an  objective 
screening  mechanism  to  balance  the  interests  at  stake  in  the  proceeding,  and  should 
be  required  for  all  access  in  judicial  and  administrative  proceedings. 

Law  Enforcement — The  AMA  believes  strongly  that  the  requesting  law  enforce- 
ment entity  should  be  allowed  access  to  medical  records  only  through  a  court  order. 
Our  position  is  that  a  strong  legal  standard,  accompanied  by  a  set  of  parameters 
on  need  and  use,  is  essential  to  protecting  not  only  personal  medical  information, 
but  the  confidence  of  citizens  in  their  government. 

This  is  not  an  abstract  concern.  Physicians  and  their  patients  have  repeatedly  ex- 
perienced the  intrusion  of  law  enforcement  into  patients'  personal  medical  informa- 
tion when  no  need  for  identifiable  information  is  established  and  no  protections  are 
pro^/ided.  The  unfortunate  result  is  less  -rather  than  greater-confidence  in  the  law 
enforcement  and  judicial  systems  of  this  country. 
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Governmental  Health  Data  Systems — The  AMA  strongly  objects  to  the  troubling 
premise  seemingly  underlying  the  entire  proposed  rule,  and  particularly  evident 
here,  that  government  oversight  of  the  efficiency  and  effectiveness  of  the  health  care 
"system"  is  somehow  a  more  compelling  national  priority  than  protecting  individual 
citizens'  right  to  privacy.  We  cannot  agree  with  reasoning  wherein  the  federal  gov- 
ernment appears  to  value  even  marginal  increments  of  administrative  efficiency 
over  the  basic  rights  of  individuals  to  protect  the  privacy  of  their  own  health  infor- 
mation. 

The  AMA  sees  no  reason  why  government's  research  and  pohcy  analysis  purposes 
could  not  be  fulfilled  using  de-identified  individual  or  aggregate  information.  Fur- 
ther, if  the  government  believes  it  requires  individually  identifiable  health  informa- 
tion for  its  particular  purpose,  it  should  be  required  to  obtain  the  individual's  con- 
sent for  such  disclosure  and  use,  or  to  justify  the  value  of  the  proposed  project  and 
the  reasons  why  obtaining  consent  is  impracticable  or  impossible. 

Research — The  AMA  strongly  supports  the  extension  of  the  Common  Rule  to  all 
entities  conducting  human  subject  research,  regardless  of  their  federal  nexus,  and 
applauds  the  Secretary's  efforts  in  this  important  area.  We  agree  with  the  Sec- 
retary's conclusion  that  the  nexus  of  federal  funding  is  irrelevant  in  deciding  the 
question  of  whether  human  research  subjects  should  be  protected.  As  a  matter  of 
pubHc  pohcy,  individuals  should  be  protected  if  they  or  their  information  are  the 
subject  of  health-related  research.  The  source  of  the  funding  should  not  result  in  dif- 
ferent levels  of  protection. 

Individual  rights 

The  AMA  supports  the  rights  of  individual  to  access  their  medical  records,  subject 
to  limited  exceptions,  which  is  the  approach  adopted  by  the  Secretary.  We  beheve 
that  the  physical  record  and  notes  made  in  treating  the  patient  belong  to  the  physi- 
cian; however,  the  information  contained  in  the  record  is  the  patient's.  Thus,  certain 
rights  should  attach  for  both  the  patient  and  the  physician. 

Administrative  requirements  and  policy  development  and  documentation 

This  provision  sets  out  an  extensive  series  of  administrative  requirements  that 
physicians  and  other  covered  entities  would  have  to  incorporate  into  their  practice 
or  business.  The  AMA  has  significant  concerns  about  the  substantial  administrative 
and  financial  burdens  this  might  place  on  physician  practices,  particularly  those 
smaller  practices  whose  administrative  personnel  are  already  stretched  to  the  limit 
with  various  governmental  and  health  plan  requirements. 

The  AMA  objects  in  the  strongest  terms  to  the  school  of  bureaucratic  thought  that 
requires  documentation  that  one  is  going  to  do  something,  followed  by  documenta- 
tion that  one  is  doing  that  same  thing,  and  then  requires  documentation  that  the 
same  thing  has  been  done.  Physicians  and  their  office  staffs  are  absolutely  over- 
whelmed by  current  paperwork  requirements  generated  by  well-intended,  but  poorly 
thought  out,  regulations.  Such  redundant  documentation  requirements  are  for  the 
administrative  ease  of  compHance  officers — not  for  physicians  and  certainly  not  for 
patients.  Masses  of  documentation  allow  comphance  officers  to  push  their  familiar 
paper  and  quibble  over  parenthetical  clauses  rather  than  to  really  investigate  to  see 
when  a  true  wrong  has  been  committed. 

The  AMA  recommends  that  the  paperwork  and  documentation  elements  of  the 
proposed  rule  be  withdrawn  completely  and  rethought  with  a  more  realistic  and 
flexible  implementation  approach  for  smaller  physician  offices.  After  all,  is  the  goal 
to  actually  protect  patient  privacy,  or  is  it  to  create  paper  saying  that  we  do? 

Physicians  and  other  hcensed  health  care  professionals  already  use  an  array  of 
administrative  tools  to  honor  existing  ethical  and  legal  obligations  to  keep  patient 
information  confidential.  We  beheve  that  a  prudent  implementation  of  the  proposed 
rule's  administrative  requirements  would  permit  these  covered  entities  to  modify 
these  existing  tools,  rather  than  requiring  them  to  "reinvent  the  wheel."  The  cor- 
porate entities  that  currently  do  Httle  or  nothing  to  protect  patient  privacj^  are  those 
that  the  proposed  regulation  should  highlight  for  additional  administrative  protec- 
tions. In  addition,  we  beheve  that  the  Secretary  has  not  adequately  calculated  the 
costs  of  implementing  the  administrative  requirements  under  the  proposed  regula- 
tion. We  beheve  the  proposed  regulation  would  have  a  disproportionate  impact  on 
small  business  (individual  and  groups  of  physicians  and  other  health  care  practi- 
tioners). 

Preemption  and  Relationship  to  State  Laws 

The  AMA  is  deeply  concerned  that,  while  the  proposed  rule  suggests  that  its  pre- 
emption provision  sets  a  federal  "floor"  for  preemption,  a  raft  of  subsequent  excep- 
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tions  and  qualifiers  completely  undermine  the  provision,  creating  a  federal  'TDase- 
ment,"  rather  than  a  federal  "floor." 

AMA  poUcy  supports  a  preemption  provision  that  preserves  more  stringent  state 
confidentiaUty  laws,  so  that  federal  and  state  privacy  protections  would  be  cumu- 
lative. The  proposed  rule  fails  to  provide  due  deference  to  the  States. 

This  section  is  also  flawed  by  the  fact  that  entities — specifically  physicians — regu- 
lated by  the  rule  would  not  be  able  to  independently  ask  the  Secretary  for  clarifica- 
tion as  to  which  law  to  abide  by.  All  queries  must  be  presented  by  the  States.  Two 
implementation  problems  are  immediately  evident: 

(1)  physicians  who  seek  to  comply  with  state  law,  believing  in  good  faith  that  it 
is  more  stringent  than  the  federal  standard,  could  be  in  violation  of  the  regulation 
without  ever  knowing  or  having  an  opportunity  to  directly  request  guidance  from 
the  Secretary;  and 

(2)  State  governments  could  have  a  conflict  of  interest,  as  one  of  the  largest  health 
data  collectors,  in  bringing  forward  queries  to  the  Secretary. 

Compliance  and  Enforcement 

Due  to  the  lack  of  concrete  guidance  in  its  current  form,  the  proposed  regulation 
may  unwittingly  expose  physicians  and  other  covered  entities  to  fines  for  noncompH- 
ance  despite  good  faith  efforts  to  comply.  The  AMA  is  also  troubled  by  the  implicit 
federal  overlap  created  by  this  nile  wherein  the  traditional  role  of  the  states'  medi- 
cal Ucensure  boards  in  overseeing  physicians'  ethical  practice  is  usurped  by  federal 
enforcement. 

We  are  encouraged  to  note  the  Secretary's  philosophy  of  providing  "a  cooperative 
approach  to  obtaining  compliance,"  that  looks  to  an  educational,  rather  than  puni- 
tive, approach  to  resolve  disputes.  The  AMA  nevertheless  questions  the  role  of  the 
Secretary  or  any  federal  officer  to  investigate  complaints  against  physicians  for 
breaches  of  patient  confidentiaUty.  This  is  the  traditional  realm  of  state  medical  H- 
censing  boards  and  their  premier  role  in  pursuing  this  type  of  activity  is  clearly  ar- 
ticulated in  State  medical  practice  acts. 

Cost  of  Compliance 

The  AMA  notes  that  the  cost  to  comply  with  the  proposed  privacy  regulations 
clearly  is  not  a  one-time  cost  but  will  be  a  perpetual  and  continuing  commitment, 
and  this  should  be  reflected  in  the  analysis.  These  continuing  costs  are  not  antici- 
pated by  the  proposed  rule.  Furthermore,  the  proposed  rule  could  impose  significant 
new  costs  on  physicians'  practices,  with  the  potential  to  disproportionately  burden 
small  physician  offices.  We  believe  this  runs  counter  to  the  expUcit  intent  of 
HIPAA's  "Administrative  Simphfication"  provisions,  which  require  "any  standard 
adopted  under  this  part  shall  be  consistent  with  the  objective  of  reducing  the  admin- 
istrative costs  of  providing  and  paying  for  health  care."  (Sec.  262.  "Administrative 
Simplification,"  "Sec.  1172(b)  Reduction  of  Costs.") 

Conclusion 

The  Secretary  notes  that  she  has  attempted  to  create  a  regulation  that  strikes  a 
balance  between  permitting  important  uses  of  health  information  while  respecting 
an  individual's  right  to  privacy.  We  commend  the  Secretary  for  the  attempt  to  ad- 
dress these  complex  issues,  particularly  within  the  restrictive  framework  permitted 
under  HIPAA.  The  AMA  does  not  believe,  however,  that  the  proposed  regulation 
achieves  the  necessary  and  proper  balance.  The  proposed  regulation  would  not  ade- 
quately protect  patient  privacy  and  confidentiality  and  it  would  substantially  and 
unacceptably  increase  administrative  burdens  for  physicians.  For  these  reasons,  we 
cannot  support  the  proposed  regulation  in  its  current  form. 

Further,  the  parameters  set  under  HIPAA  for  regulatory  action  do  not  permit  the 
full  scope  of  protections  that  physicians  believe  patients  deserve  in  any  federal  pri- 
vacy law.  We  beHeve  that  the  first  step  of  an}'  ultimately  successftd  proposal,  legis- 
lative or  regulatory,  must  be  to  place  the  patient  first.  Each  entity  seeking  access 
to  patients'  most  confidential  medical  information  must  pass  the  stringent  test  of 
showing  why  its  professed  need  should  override  individuals'  most  basic  right  in 
keeping  their  own  information  private.  Moreover,  citizens  deserve  a  full  and  open 
discussion  of  exactly  who  wants  their  private  medical  information  and  for  what  pur- 
pose. Only  then  may  the  true  balancing  of  interests  take  place.  These  are  the 
ground  niles  of  AMA  poHcy  and  they  should  be  the  ground  rules  for  the  federal  de- 
bate regarding  patient  privacy. 
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Chairman  Thomas.  Thank  you,  very  much,  Doctor.  Ms.  Fox? 

STATEMENT  OF  ALISSA  FOX,  EXECUTIVE  DIRECTOR,  OFFICE 
OF  POLICY  AND  REPRESENTATION,  BLUE  CROSS  BLUE 
SHIELD  ASSOCIATION 

Ms.  Fox.  Mr.  Chairman  and  members  of  the  committee,  thank 
you  very  much  for  this  opportimity  to  speak  to  you  today. 

Blue  Cross  and  Blue  Shield  Association  agrees  that  standards 
are  necessary  to  assure  all  consumers  that  their  medical  informa- 
tion is  kept  strictly  confidential.  For  our  plans,  there  is  absolutely 
no  question  as  to  whether  patient  records  should  be  kept  private, 
but  only  as  to  how  this  shoiild  be  done. 

We  have  extensive  reviewed  the  proposed  HHS  rules  with  our 
plans  and  have  concluded  that  without  substantial  changes,  the 
proposal  is  operationally  infeasible,  extremely  costly,  and  would 
threaten  quality  improvement  efforts  throughout  the  health  care 
system. 

Today,  we  submitted  over  50  pages  of  detailed  formal  comments, 
as  well  as  recommendations  to  HHS.  I  would  like  to  highlight  our 
four  top  issues. 

First,  as  discussed  earlier,  this  proposal  would  layer  new  Federal 
rules  on  top  of  existing  state  laws  that  will  make  it  extremely  con- 
fusing for  everyone.  HLC  has  an  excellent  chart  illustrating  this. 

For  consimiers,  it  will  be  extremely  difficult  to  know  what  their 
rights  are,  and  who  do  you  csdl  when  you  have  questions  or  prob- 
lems? Do  you  call  the  state?  Which  state?  How  many  states?  Or  do 
you  call  HHS? 

Second,  the  new  business  partner  requirement  would  force  plans, 
doctors,  and  hospitals  to  assure  all  of  their  partners  comply  with 
these  rules.  This  is  simply  unworkable  and  would  be  very  expen- 
sive because  everyone  would  end  up  monitoring  everyone  else.  Hos- 
pitals monitoring  doctors,  plans  monitoring  hospitals.  We  have 
urged  HHS  to  drop  this  requirement. 

Third,  the  new  minimum  necessary  rule  would  require  all  of  us 
to  establish  new  procedures  and  reorganize  and  redesign  our  oper- 
ations, so  we  are  only  disclosing  the  minimum  information  nec- 
essary in  each  and  every  case.  This  would  undermine  all  of  our  ef- 
forts to  assure  that  patients  receive  the  right  care  at  the  right 
time. 

Simply  put,  this  erects  road  blocks  to  assuring  patients  receive 
the  best  possible  care  and  runs  counter  to  the  new  Institute  of 
Medicine  report,  which  highlights  the  need  for  complete  and  timely 
access  to  patient  medical  information  to  prevent  the  wrong  care. 

Fourth,  we  are  concerned  that  the  way  the  proposal  is  con- 
structed, it  may  make  it  difficult  and  perhaps  even  impossible  for 
plans  to  continue  existing  beneficial  fimctions  such  as  disease  man- 
agement programs.  This  is  because  the  list  of  the  functions  in  the 
health  plan  definition  misses  many  key  functions  we  do  today.  And 
we  worry  that  it  could  limit  what  we  do  in  the  future  as  we  evolve 
to  meet  consumer  demands  in  the  21st  century,  where  the  pace  of 
technological  advances  continues  to  amaze  us  all. 


48 


Finally,  we  are  extremely  concerned  about  the  cost  of  implement- 
ing such  a  complicated  proposal.  We  commissioned  the  Nolan  Com- 
pany to  estimate  the  cost  of  several  provisions  and  their  estimate 
is  over  $40  billion  for  the  entire  health  care  system  over  a  five  year 
period.  This  estimate  is  multiple  times  higher  than  the  HHS  esti- 
mate. 

A  key  reason  for  this  difference  is  that  HHS  did  not  estimate 
many  of  the  provisions  we  believe  will  be  extremely  expensive. 
HHS  has  said  they  did  not  have  the  information  and  data  to  do 
these  estimates.  We  hope  that  our  study  will  be  useful  to  them. 

Mr.  Chairman  and  members  of  the  committee,  let  me  close  by 
saying  that  we  must  be  smart  in  what  we  ask  of  the  health  care 
system.  We  must  evaluate  new  requirements  very  carefully  to 
make  sure  that  they  are  the  most  cost  effective  and  efficient  way 
of  protecting  patients.  We  believe  that  major  changes  are  needed 
to  assure  we  are  not  unnecessarily  adding  to  the  cost  of  insurance 
coverage  or  jeopardizing  our  health  care  system  which  continues  to 
provide  the  best  care  in  the  world.  And  most  importantly,  we  must 
avoid  redirecting  scarce  dollars  from  benefits  to  administrative 
costs. 

Thank  you  very  much. 

[The  prepared  statement  follows:] 

Statement  of  Alissa  Fox,  Executive  Director,  Office  of  Policy  and 
Representation,  Blue  Cross  Blue  Shield  Association 

Mr.  Chairman  and  Members  of  the  Committee,  I  am  Alissa  Fox,  Executive  Direc- 
tor for  the  Blue  Cross  and  Blue  Shield  Association.  The  Blue  Cross  and  Blue  Shield 
Association  (BCBSA)  represents  49  independent  Blue  Cross  and  Blue  Shield  Plans 
across  the  country,  covering  over  74  million  Americans  -or  one  in  every  four  individ- 
uals. 

Thank  you  for  the  opportunity  to  testify  today  regarding  our  major  concerns  with 
the  proposed  regulations  setting  privacy  standards  for  individually  identifiable 
health  information  issued  by  the  Department  of  Health  and  Human  Services  (HHS) 
on  November  3,  1999. 

BCBSA  believes  that  safeguarding  the  privacy  of  medical  records  is  of  paramount 
importance.  All  consumers  should  be  confident  their  medical  information  is  kept 
confidential.  For  BCBS  Plans,  there  is  no  question  as  to  whether  patient  records 
should  be  kept  confidential,  but  only  as  to  how  this  should  be  accomplished.  We  look 
forward  to  working  with  Congress  and  the  Department  of  Health  and  Human  Serv- 
ices (HHS)  to  implement  practical  privacy  protections  that: 

•  allow  for  the  timely  delivery  of  and  pajnnent  for  health  care  services; 

•  facilitate  efibrts  to  deliver  safe  and  high  quality  care;  and, 

•  minimize  costs  and  administrative  paperwork  for  consumers,  providers  and  oth- 
ers in  fulfillment  of  the  objectives  of  Health  Insurance  Portability  and  Accountabil- 
ity Act's  (HIPAA)  Administrative  Simplification  provisions. 

It  is  clear  from  the  proposed  regulation  that  HHS  sought  to  balance  the  need  to 
safeguard  medical  records  with  the  ability  of  the  health  care  system  to  provide 
health  care  services  efficiently.  We  recognize  that  the  staff"  of  HHS  has  worked  long 
hours  in  an  attempt  to  develop  regulations  that  would  not  impede  our  modern 
health  care  system. 

However,  despite  their  efforts,  we  remain  concerned  that  the  proposed  regulation 
needs  significant  revision.  Without  substantial  changes,  the  proposal  is  operation- 
ally infeasible  and  extremely  costly.  It  would  slow  the  delivery  and  payment  of  care 
to  providers  and  consumers,  threaten  the  assurance  of  quality,  and  exacerbate  the 
cost  of  health  care. 

My  testimony  focuses  on  five  key  areas: 

I.  Scope  of  the  Regulation 

II.  Key  Concerns  with  the  Regulation 

III.  Positive  Aspects  of  the  Regulation 

IV.  Cost  of  the  Regulation 

V.  Recommendations 
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1.  Scope  of  the  Regulation  '  '  '  ' 

HIPAA  provided  HHS  the  authority  to  promulgate  privacy  standards  for  con- 
sumer health  information  if  Congress  did  not  pass  legislation  by  August  1999,  The 
statute  directed  HHS  to  issue  rules  governing  standards  with  respect  to  the  privacy 
of  individually  identifiable  health  information  transmitted  in  connection  with  the 
transactions  described  in  section  1173(a)" — certain  standardized  transactions  for 
claims  pa3rment  and  other  functions.  This  directs  the  Secretary  to  develop  a  narrow 
set  of  privacy  rules  for  the  specific  transactions  that  are  developed  and  transmitted 
imder  Administrative  Simplification.  However,  the  proposed  rule  estabhshes  stand- 
ards that  far  exceed  this  mandate.  The  proposal  would  affect  virtually  all  players 
in  the  health  care  industry  as  well  as  many  other  organizations — such  as  schools, 
employers,  and  accounting  firms  -and  the  vast  majority  of  information. 

The  proposal  would  require  covered  entities  (i.e.,  health  plans,  providers,  and 
clearinghouses)  to: 

•  Obtain  new  authorizations  fi-om  consumers  before  using  or  disclosing  informa- 
tion, except  for  purposes  of  treatment,  payment,  health  care  operations  and  other 
limited  circumstances; 

•  Allow  individuals  to  inspect,  copy  and  amend  much  of  their  medical  informa- 
tion; 

•  Track  all  disclosures  made  other  than  for  treatment,  payment  and  health  care 
operations; 

•  Recontract  with  all  business  partners  to  require  them  to  use  and  disclose  infor- 
mation according  to  the  new  privacy  rules  and  assure  that  business  partners  are 
complying; 

•  Institute  procedures  to  assure  that  only  the  minimum  information  necessary  is 
used  or  disclosed  for  a  given  purpose; 

•  Designate  a  privacy  official  and  train  staff; 

•  Follow  specific  rules  before  using  protected  health  information  for  research; 
and, 

•  Develop  a  host  of  new  policies,  procedures  and  notices. 

In  imderstanding  the  ftdl  scope  and  impHcations  of  the  regulation,  it  is  important 
to  be  aware  of  the  following: 

•  The  Regulation  is  Not  Limited  to  Electronic  Records:  Many  news  accounts  de- 
scribe the  proposed  regulation  as  applying  to  electronic  records  only.  This  is  far  from 
accurate.  The  regulation  specifically  apphes  to  electronic  records,  as  well  as  any  for- 
mat of  a  record  that  has  ever  (or  will  ever  be)  electronically  transmitted  or  main- 
tained. This  broad  brush  covers  milhons  of  paper  records,  oral  records  and  other 
storage  formats.  In  addition,  because  it  would  be  so  difficult  to  distinguish  ordinary 
paper  records  fi-om  paper  records  that  had  been  (or  would  be)  electronically  trans- 
mitted, the  practical  effect  of  the  regulation  would  be  that  doctors,  health  plans  and 
other  covered  entities  would  need  to  apply  the  protections  to  all  of  their  records,  of 
any  format. 

•  The  Regulation  Affects  Internal  Uses  of  Information  as  well  as  Disclosures:  A 
common  misconception  regarding  the  regulation  is  that  it  simply  regulates  the  dis- 
closure of  information  to  a  third  party.  In  fact,  the  regulation  actually  affects  the 
use  of  information  internally  within  an  organization.  This  means  that  organizations 
would  be  required  to  comply  with  aU  the  rules  even  when  they  use  information  in- 
ternally for  treatment  purposes,  claims  management,  utihzation  review  and  other 
routine  health  care  purposes. 

•  The  Regulation  Affects  a  Broad  Array  of  Organizations  and  Information:  The 
definition  of  "covered  entity"  in  the  regulation  is  broad  in  scope — including  not  only 
doctors,  hospitals  and  health  plans  but  employers  operating  their  own  health  plans 
(insured/self-fiinded),  laboratories,  pharmacists  and  many  others.  Many  organiza- 
tions that  are  not  included  specificaQy  as  a  "covered  entitj^'  are  indirectly  subjected 
to  the  privacy  rule  through  a  new  requirement  that  all  covered  entities  must  regu- 
late their  "business  partners."  For  instance,  lawyers,  accountants  and  other  non- 
health  oriented  organizations  could  fall  into  this  category. 

•  In  addition,  the  definition  of  "protected  health  information"  (PHI)  in  the  regula- 
tion is  much  broader  than  what  most  individuals  consider  their  health  information. 
The  definition  of  PHI  goes  beyond  an  individual's  medical  records  to  include  insur- 
ance records  and  status,  oral  information,  demographic  data,  and  insurance  status. 

//.  Key  Concerns  with  Regulation 

Today,  BCBSA  submitted  over  50  pages  of  detailed  formal  comments  to  HHS  on 
a  whole  host  of  important  operational  issues.  This  testimony  highhghts  the  four 
most  problematic  provisions  in  the  regulation. 
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1.  Preemption  of  State  Law 

We  believe  doctors,  health  plans,  and  other  covered  entities  will  be  unable  to  navi- 
gate the  labyrinth  of  state  and  federal  privacy  laws  under  the  complex  construct  of 
the  HIPAA  regulatory  model.  The  regulation  follows  HIPAA  regulatory  construct  in 
that  state  laws  are  preempted  only  if  contrary  to  the  regulation,  and  less  stringent. 
In  addition,  the  regulation  specifically  "saves"  certain  state  statutes  from  preemp- 
tion, such  as  those  relating  to  health  surveillance. 

Everyone  in  the  health  care  system  needs  a  clear  understanding  of  the  rules  that 
guarantee  privacy.  We  are  concerned  that  the  lack  of  a  complete  preemption  over 
state  law  creates  a  serious  problem  for  consumers,  doctors,  health  plans  and  other 
covered  entities. 

Doctors,  health  plans  and  other  covered  entities  must  determine,  on  a  provision 
by  provision  basis,  which  parts  of  state  law  would  be  retained,  and  which  would  be 
replaced  by  federal  law.  Tnis  is  further  complicated  by  the  free  flow  of  patients  and 
information  in  today's  health  care  industry.  For  instance,  an  individual  may  live  in 
the  District  of  Columbia,  work  in  Virginia,  and  visit  a  physician  located  in  Mary- 
land. Covered  entities  dealing  with  this  individual  must  evaluate  the  interplay  of 
three  state  statutes  with  the  federal  law.  In  addition,  covered  entities  also  must  fac- 
tor in  the  interplay  of  other  federal  laws  relating  to  privacy.  Even  if  each  covered 
entity  engaged  an  attorney  to  prepare  a  preemption  analysis,  different  attorneys 
would  prepare  conflicting  interpretations — leading  to  costly  litigation  with  the 
states,  the  federal  government  and  consumers. 

This  regulatory  construct  particularly  will  be  confusing  for  consumers.  Instead  of 
facilitating  an  individual's  ability  to  know  their  privacy  rights,  this  complex  preemp- 
tion process  is  sure  to  confound  patients.  First,  individuals  will  be  hard  pressed  to 
determine  which  aspects  of  the  state  and  federal  privacy  laws  apply  to  tnem,  so  it 
will  be  impossible  for  them  to  determine  if  in  fact,  they  have  been  wronged.  In  addi- 
tion, consumers  will  not  know  where  to  direct  complaints  if  they  do  feel  that  their 
rights  are  violated  — Maryland?  Virginia?  The  District  of  Columbia?  The  Secretary 
of  Health  and  Human  Services?  It  is  likely  that  consumers  will  be  bounced  from  one 
jurisdiction  to  the  next  until  the  consumer  locates  the  one  which  has  the  law  that 
has  been  violated  -or  the  consumer  becomes  frustrated  and  terminates  the  effort. 

We  recognize  that  a  complete  preemption  of  state  law  is  outside  the  statutory  au- 
thority of  the  Department  of  Health  and  Human  Services  (HHS).  Therefore,  we  rec- 
ommend HHS  prepare  a  detailed  privacy  guide  for  each  state  on  how  existing  state 
laws  intersect  with  the  new  federal  rules.  The  guide  should  also  address  whether 
a  privacy  provision  is  triggered  by  a  consumer's  residence,  location  of  provider  or 
other  criteria.  HHS  should  prepare  the  guide  in  collaboration  with  state  government 
officials.  HHS  should  assure  this  guide  also  incorporates  other  federal  privacy  laws, 
such  as  the  Federal  Privacy  Act.  As  part  of  this  process,  each  individual  state 
should  certify  agreement  with  HHS'  analysis  so  everyone  has  a  clear  understanding 
of  the  rules. 

It  is  imperative  that  this  legal  guidebook  is  prepared  well  in  advance  of  the  final 
regulations.  Doctors,  health  plans,  and  other  covered  entities  will  need  this  com- 
pleted analysis  before  computer  systems  can  be  redesigned,  forms  and  notices  are 
changed,  consumer  brochures  are  modified  and  updated,  and  other  procedures  can 
be  brought  into  compliance.  Bringing  plan  and  provider  operations  into  compliance 
with  these  complex  new  regulations  will  be  expensive,  so  it  is  critical  that  these  en- 
tities only  have  to  modify  systems  and  other  items  once.  Therefore,  we  recommend 
that  the  analysis  be  provided  two  years  prior  to  the  effective  date  of  the  regulation. 

2.  Business  Partners 

The  business  partner  provisions  of  the  regulation  require  that  doctors,  health 
plans  and  other  covered  entities  enter  into  prescribed  contracts  with  all  of  their 
'business  partners"  to  assure  these  partners  follow  specific  HHS  privacy  rules.  The 
doctors,  health  plans  and  other  covered  entities  would  be  considered  to  be  in  non- 
compliance with  the  regulations  and  could  be  subject  to  penalties  and/or  litigation 
if  they  "knew  or  reasonably  should  have  known"  of  certain  privacy  violations  of  their 
busmess  partners.  We  believe  these  provisions  are  unworkable,  as  well  as  outside 
of  the  authority  of  HHS. 

The  definition  of  business  partner  is  so  broad  that  physicians  could  be  the  busi- 
ness partners  of  independent  laboratories;  health  plans  could  be  the  business  part- 
ners of  their  lawyers  and  accountants;  and  hospitals  could  be  the  business  partners 
of  independent  physicians  that  practice  within  their  walls.  Doctors,  hospitals,  Co- 
ordination of  Benefit  (COB)  partners,  and  health  plans  could  all  be  construed  as 
"business  partners"  of  each  other.  These  provisions  also  could  result  in  unworkable 
relationships  between  government  agencies.  For  instance,  we  believe  the  Social  Se- 
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CTirity  Administration— who  makes  eligibility  determinations  for  the  Medicare  pro- 
gram— could  be  interpreted  to  be  a  business  partner  of  the  Health  Care  Financing 
Administration  (HCFA).  Medicare  contractors  could  be  business  partners  of  HCFA, 
subjecting  HCFA  to  the  fines  and  penalties  under  the  regulation. 

The  potential  habihty  is  likely  to  force  all  of  these  doctors,  healthplans,  and  other 
covered  entities  to  monitor  each  other  (as  well  as  sub-contractors).  This  would  result 
in  an  enormous  amount  of  duphcative  monitoring  and  auditing,  making  it  likely 
that  all  members  of  the  health  care  industry  would  be  monitoring  each  other  (in- 
cluding covered  entities) — an  obvious  conflict  with  the  efficiency  and  cost-saving 
goals  of  the  Administrative  Simplification  provisions  of  HIPAA.  Moreover,  these 
costly  actions  would  provide  Uttle  or  no  real  benefit  to  consumers  since  most  of  these 
entities  already  would  be  covered  by  the  regulations. 

The  contractual  specifications  included  in  the  regulation  compound  the  problems 
in  the  unworkable  business  partner  fi-amework.  For  instance,  one  of  the  specified 
contract  standards  in  the  regiilation  is  that  doctors,  health  plans,  and  other  covered 
entities  require  business  partners  to  either  destroy  or  return  all  protected  health  in- 
formation (PHI)  when  a  contract  is  terminated.  But  clearinghouses,  for  example, 
keep  health  data  on  file  for  some  time  to  respond  to  disputes  and  complaints.  Health 
plans,  employers,  and  other  covered  entities  and  business  partners  must  maintain 
PHI  in  order  to  provide  HIPAA  certificates  of  coverage  and  protect  themselves  firom 
legal  disputes,  complaints,  etc.  In  addition,  some  he^th  plans  are  required  by  state 
law  to  keep  information  for  a  certain  period  of  years  for  state  purposes.  This  is  only 
one  of  a  nimiber  of  examples  demonstrating  the  operational  infeasibihty  of  the  con- 
tract provisions.  In  our  detailed  comments,  we  identified  a  number  of  other. 

And  finally,  we  believe  the  business  partner  provisions  are  outside  of  the  statu- 
tory authority  of  the  Department  of  Health  and  Human  Services.  HIPAA  clearly  de- 
lineates the  covered  entities  subject  to  HHS  oversight:  health  plans,  clearinghouses, 
and  providers  conducting  standard  transactions.  Attempts  to  indirectly  regulate 
other  organizations — through  doctors,  health  plans  and  other  covered  entities  or  oth- 
erwise— is  an  overreach  of  regulatory  authority.  We  beheve  recent  District  and  Su- 
preme Court  cases  support  this  premise  as  well  as  the  viewpoint  that  inherently 
federal  powers  cannot  be  delegated  to  non-federal  authorities. 

3.  Minimum  Necessary 

The  proposed  regulation  instructs  doctors,  health  plans,  and  other  covered  entities 
to  use  or  disclose  only  the  minimum  information  necessary  to  accomplish  a  given 
purpose  and  discourages  the  exchange  of  the  entire  medical  record.  This  require- 
ment also  implies  determinations  should  be  made  on  an  individual  basis.  At  first 
blush,  this  standard  seems  to  be  a  perfectly  reasonable,  common  sense  provision. 

However,  upon  an  operational  implementation  perspective,  it  becomes  increas- 
ingly clear  that  it  would  be  impossible  to  implement  a  legal  standard  that  only  the 
minimum  information  is  used  or  disclosed.  First  of  all,  it  is  important  to  recognize 
that  this  standard  appHes  to  the  use  of  information  as  well  as  disclosure,  and  that 
the  definition  of  disclosure  includes  broad  terms  such  as  "provision  of  access  to."  We 
beheve  this  standard  would  require  a  massive  reorganization  of  workflow,  as  well 
as  possible  redesign  of  physical  office  space  and  would  jeopardize  the  quahty  and 
timeliness  of  patient  care,  benefit  determinations  and  other  critical  elements  of  the 
health  care  system.  For  instance: 

•  As  part  of  the  description  regarding  the  minimum  necessary  standard,  the  regu- 
lation includes  a  strong  discouragement  regarding  the  release  of  entire  medical 
records  of  patients.  The  complete  exchange  of  medical  information  is  absolutely  criti- 
cal to  assuring  a  patient  receives  the  right  treatment  at  the  right  time.  The  recent 
Institute  of  Medicine  report,  "To  Err  is  Human,"  highlighted  the  medical  mistakes 
that  are  coinmon  in  our  health  care  system  today.  The  lOM  report  states  that  errors 
are  more  likely  to  occur  when  providers  do  not  have  timely  access  to  complete  pa- 
tient information.  The  discouragement  of  complete  medical  records  would  make  it 
more  difficult  to  guard  against  these  problems.  One  covered  entity  may  determine 
that  a  subscriber's  prescription  is  not  relevant  to  be  released.  Further  down  the  Hne, 
that  lack  of  information  may  impede  clinicians'  decisionmaking. 

•  It  is  well  documented  that  fraud  and  abuse  is  a  costly  element  of  our  health 
care  system.  The  Medicare  program  as  well  as  private  health  plans  have  made  com- 
bating fi-aud  and  abuse  a  priority.  However,  the  minimum  necessary  standard  is 
hkely  to  impede  fi'aud  detection,  because  firaud  and  abuse  units  may  be  accused  of 
using  more  than  the  minimum  information  necessary.  Any  impediment  to  fi:-aud  de- 
tection would  increase  the  cost  to  consimiers. 

•  Health  plans  and  providers  actually  may  be  forced  to  redesign  their  facihties 
to  comply  with  the  minimum  necessary  standard.  For  instance,  when  visiting 
fi-iends  in  maternity  wards,  there  generally  is  a  white  board  describing  all  of  the 
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Eatients  and  their  medical  needs.  Any  visitor  may  view  the  information  on  the 
oard.  Or  take  an  orthopedist's  office,  where  a  x-ray  lightboard  is  centrally  located 
outside  of  the  patients'  rooms  for  easy  access  by  the  physician.  Anyone  in  the  office 
could  view  the  x-rays,  and  x-rays  are  identffiable  information.  Would  the  regulation 
require  these  providers  to  renovate  their  facilities  to  comply  with  the  regulation? 

These  are  a  few  examples  of  the  types  of  activities  that  could  fall  awrv  of  the  pro- 
posed privacy  regulations.  If  implemented,  this  would  impose  incredible  costs  on 
consumers — not  just  in  dollars  and  cents — ^but  in  Uves  as  well. 

4.  Health  Care  Operations 

One  of  the  fundamental  building  blocks  of  the  regulation  is  its  definition  of  health 
care  operations.  Items  that  are  listed  in  this  definition  are  exempt  from  the  require- 
ment to  track  disclosures  of  protected  health  information,  and  do  not  require  a  sepa- 
rate authorization  from  an  individual.  As  changes  are  made  to  the  final  regulation, 
we  expect  the  definition  to  continue  to  play  a  key  role. 

We  beheve  the  current  definition  of  health  care  operations  misses  important  ftmc- 
tions.  As  a  result,  covered  entities  may  have  to  solicit  authorizations  for  certain 
functions  or  track  disclosures  as  part  of  routine  operations.  The  end  result  would 
be  that  health  plans  could  encoimter  major  obstacles  to  conducting  these  activities 
and  could  be  discouraged  fi:*om  conducting  these  important  functions.  The  following 
is  a  sample  of  overlooked  functions: 

•  Disease  management,  case  management,  risk  assessment,  epidemiological  studies 
and  drug  interventions.  Many  of  our  Plans  conduct  these  important  programs  that 
benefit  consumers  through  improved  health  care,  better  outcomes,  and  lower  cost. 
For  instance,  the  Blue  Cross  and  Blue  Shield  Federal  Employee  Program  provides 
disease  management  services  to  improve  care  for  patients  with  respect  to  congestive 
heart  failure  and  diabetes  as  part  of  its  benefit  plans.  When  claims  are  processed, 
the  names  of  enroUees  that  could  benefit  from  disease  or  case  management  are  com- 
piled. This  information  also  may  be  used  to  conduct  epidemiological  studies  of  par- 
ticular populations  within  FEP  or  to  implement  drug  intervention  programs. 

•  Private  accreditation  by  organizations  such  as  National  Committee  for  Quality 
Assurance  (NCQA),  as  well  as  auditing,  evaluating  and  accreditation  functions  per- 
formed by  other  private  entities,  such  as  associations.  The  NCQA  and  other  private 
accrediting  organizations  sometimes  require  the  review  of  information  that  could  be 
considered  as  protected  health  information.  In  addition,  other  private  entities — such 
as  associations — sometimes  perform  auditing  and  evaluation  of  their  members  as 
part  of  membership  or  other  standards. 

•  Routine  Plan  operations  such  as  "security  activities,"  data  processing  activities 
and  general  maintenance:  Some  health  plans  conduct  a  series  of  security  activities 
designed  to  assure  that  employees  are  compljdng  with  corporate  privacy  policies.  For 
instance,  they  may  monitor  "same  name"  look-ups,  to  guard  against  employees 
checking  the  records  of  family  members,  or  monitor  access  to  celebrity  files,  as  well 
as  other  initiatives.  With  regards  to  computers,  "live"  data  is  often  used  in  order 
to  assure  that  system  changes  and  upgrades  have  correctly  been  made.  Health 
Plans  also  must  conduct  a  number  of  routine  operations,  for  instemce  the  printing 
of  ID  cards,  etc. 

•  Health  promotion  and  other  educational  activities.  For  instance,  FEP  has  estab- 
lished a  24-hour  nurse  hotline.  Blue  Health  Connection.  EnroUees'  PHI  may  be  dis- 
closed to  the  vendor  responsible  for  Blue  Health.  This  information  is  used  to  provide 
enroUees  with  health  education,  treatment  options,  and  assistance  with  questions 
for  enroUees  to  ask  their  physicians.  We  also  may  notify  enroUees  -or  require  our 
physicians  to  notify  patients — regarding  mammography  screenings  or  immuniza- 
tions. 

•  Insurance  underwriting  and  other  activities:  While  the  regulation  does  specify 
insurance  underwriting,  we  believe  the  proposed  definition  may  be  deficient  because 
it  relates  only  to  the  renewal  of  a  contract,  and  to  the  protected  health  information 
of  individuals  already  enrolled.  This  could  inhibit  our  ability  to  develop  an  appro- 
priate premium  for  group  coverage  as  well  as  the  ability  of  covered  entities  to  obtain 
stop-loss  coverage  or  reinsurance. 

I'his  is  only  a  sample  of  the  types  of  functions  that  have  been  overlooked.  We  be- 
lieve many  more  items  will  be  discovered  as  doctors,  health  plans,  and  other  covered 
entities  begin  implementing  the  regulation.  In  addition,  we  believe  the  definition  is 
static,  and  cannot  reflect  the  new  roles  and  functions  that  health  plans  may  develop 
in  the  future  that  benefit  consumers,  improve  quality,  and  reduce  costs.  For  in- 
stance, if  this  definition  had  been  developed  ten  years  ago,  disease  mgoiagement  pro- 
grams would  not  be  as  common  as  they  are  today.  We  are  concerned  that  such  strict 
definitions  could  Hmit  health  plans'  roles  as  they  seek  to  redefine  themselves  to 
meet  consumer  demands  of  the  21st  century.  We  beheve  a  static  definition  of  health 
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care  operations  will  squelch  innovation  because  health  plans  will  not  invest  in  de- 
velopment unless  they  know  the  new  program  would  fall  under  health  care  oper- 
ations. 

III.  Positive  Aspects  of  the  Proposed  Regulation 

Clearly,  we  beheve  there  are  significant  issues  in  the  proposed  regulations.  How- 
ever, the  regulations  did  include  certain  provisions  that  demonstrated  interest  in 
balancing  operational  impacts  with  the  overall  goal  of  privacy.  We  have  urged  HHS 
to  retain  these  provisions  in  the  final  regulation.  In  particular: 

•  "Statutory"  Authorization  for  Treatment,  Payment  and  Health  Care  Operations: 
The  proposed  regulation  does  not  require  a  new  authorization  for  treatment,  pay- 
ment, and  health  care  operations.  We  beheve  a  "statutory"  authorization,  meaning 
that  covered  entities  may  use  or  disclose  protected  health  information  (PHI)  without 
authorization  as  matter  of  law,  is  imperative  and  would  oppose  a  requirement  for 
new  authorizations  for  these  vital  activities. 

Requiring  health  plans  to  obtain  a  new  authorization  from  ctirrent  subscribers 
would  require  numerous  mailings  and  phone  calls  from  health  plans — a  process  akin 
to  a  'i.ate  bill"  collections  process — in  order  to  obtain  the  new  authorizations.  In  the 
interim,  subscribers  and  providers  would  experience  delays  in  payment  and  other 
services  and  confusion  in  the  health  care  system. 

•  Tracking  of  Disclosures,  Other  Than  For  Treatment,  Payment  and  Health  Care 
Operations:  The  proposed  regulation  requires  tracking  of  disclosures  made  for  pur- 
poses other  than  treatment,  payment  or  health  care  operations.  This  requirement 
is  operationally  more  feasible  than  a  requirement  to  track  all  disclosures.  We  would 
oppose  any  expansion  of  this  standard.  Expanding  the  tracking  standards  would  re- 
sult in  duphcative  and  unnecessary  tracking  of  nuUions  of  routine  transactions  that 
occur  every  day  (e.g..  Coordination  of  Benefits,  lab  disclosures  to  physicians,  etc.) 
and  a  blizzard  of  paperwork  for  all,  especially  physicians.  However,  we  remain  con- 
cerned that  this  more  reasonable  tracking  standard  is  undermined  by  provisions  in 
the  amendment  and  correction  standard  that  requires  doctors,  health  plans  and 
other  covered  entities  to  notify'  previous  recipients  of  information.  If  the  amendment 
and  correction  standard  is  not  modified,  we  beheve  it  would  have  the  operational 
effect  of  a  "de  facto"  tracking  standard  for  all  disclosures,  even  those  made  for  treat- 
ment, payment,  and  health  care  operations. 

•  Inspection  And  Copying  Of  PHI  Contained  In  A  Designated  Record  Set:  The  pro- 
posed regulation  allows  consumers  to  inspect  and  copy  those  records  retrieved  from 
a  designated  record  set  used  to  make  substantive  decisions.  Using  a  designated 
record  set  standard  is  operationally  more  feasible  than  requiring  access  to  all  pro- 
tected health  information.  Expansion  of  this  standard  to  all  records  would  result  in 
reams  of  meaningless  information  being  retrieved  and  copied  at  a  great  cost  to  the 
health  care  system.  We  oppose  expansion  of  the  current  standard. 

VI.  The  Cost  of  the  Regulation 

The  proposed  regulation  includes  an  estimated  total  cost  of  $3.8  biUion  over  five 
years.  We  think  this  figure  greatly  underestimates  the  cost  of  implementation.  The 
regulation  itself  indicates  the  HHS  cost  estimates  are  incomplete.  The  proposed  reg- 
ulation itemizes  10  standards  for  which  HHS  was  unable  to  complete  a  cost  analy- 
sis, noting  that  "the  cost  of  these  provisions  may  be  significant  in  some  cases.  .  .." 
The  minimum  necessary  standard,  business  partner  monitoring,  designation  of  pri- 
vacy officials  and  privacy  boards,  and  creation  of  de-identified  information  were  all 
items  excluded  from  the  HHS  cost  estimate. 

Due  to  our  concern  regarding  costs,  we  engaged  the  Robert  E.  Nolan  Management 
Consulting  Company  to  provide  an  independent  estimate  of  several  key  provisions 
of  the  proposed  regulation;  the  Nolan  estimate  is  over  $40  bilhon  over  five  years 
to  health  plans,  providers  and  other  members  of  the  health  care  community.  These 
costs  stem  from: 

•  Business  Partner  Monitoring:  The  business  partner  provisions  would  make  doc- 
tors, health  plans  and  other  covered  entities  hable  for  the  comphance  of  their  busi- 
ness partners,  including  lawyers,  schools  and  other  organizations.  As  a  result,  cov- 
ered entities  would  monitor  each  other  as  well  as  their  non-health  business  part- 
ners. This  provision  is  estimated  to  cost  about  $4  bilhon  over  five  years. 

•  Privacy  Officials,  System  Changes  and  other  Infrastructure:  Doctors,  health 
plans  and  other  covered  entities  would  need  to  retrain  current  employees  and  peri- 
odically recertify  their  employees,  hire  privacy  officials,  upgrade  systems,  and  ad- 
dress other  infrastructure  issues  in  order  to  implement  the  proposed  privacy  regula- 
tions. This  is  estimated  to  cost  about  $23  billion  over  five  years. 

•  Tracking  and  Disclosure:  The  amendment  and  correction  provision  requires  cov- 
ered entities  to  send  amended  records  to  previous  recipients  of  the  information.  This 
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could  result  in  a  "de  facto"  requirement  to  track  all  disclosures  of  information.  As 
a  result,  this  provision  could  cost  as  much  as  $9  billion  over  five  years. 

•  Inspection,  Copying  and  Amendment:  Covered  entities  would  have  to  allow  indi- 
viduals to  inspect,  copy  and  amend  all  information  contained  in  a  designated  record 
set.  The  definition  of  accessible  information  extends  beyond  the  traditional  medical 
record  to  other  electronic,  or  written  information  that  includes  an  individual's  name, 
social  security  number  or  other  identifying  feature.  This  provision  is  estimated  to 
cost  almost  $4  billion  over  five  years. 

•  Impact  on  Medical  Management:  Deficiencies  in  the  term  health  care  operations 
and  other  definitions  could  reduce  the  ability  of  health  plans  to  conduct  effective  dis- 
ease management  programs.  These  programs  improve  the  quality  of  care  of  consum- 
ers, and  decrease  overall  medical  costs.  Less  effective  disease  management  pro- 
grams is  estimated  to  cost  $3  billion  over  five  years. 

Obviously,  estimates  will  vary  depending  on  the  final  interpretations  of  the  regu- 
lation, however  we  believe  an  estimate  of  over  $40  billion  remains  conservative.  For 
instance,  it  does  not  include  the  new  liability  costs  that  will  arise  from  this  regula- 
tion, the  impact  of  underwriting  changes,  or  the  impact  on  health  research.  Ulti- 
mately, the  additional  administrative  costs  faced  by  providers  and  health  plans  will 
increase  the  cost  of  insurance  coverage. 

V.  Recommendations 

In  general,  the  proposed  regulation  require  doctors,  health  plans  and  other  cov- 
•  ered  entities  to  implement  complex  new  rules  that  require  extensive  new  proce- 
dures, documentation  processes,  form  specifications  and  notice  standards.  These  re- 
quirements would  require  the  re-organization  of  workflows  as  well  as  possibly  the 
physical  facilities  of  doctors  and  hospitals  in  order  to  comply  with  the  law.  We  be- 
lieve the  level  of  docxmientation  and  procedures  is  imnecessarily  excessive,  and 
should  be  rewritten  to  reduce  the  complexity,  burden  and  cost. 
Specifically,  we  urge  the  following: 

(1)  Detailed  Guidance  on  Preemption  of  State  Law:  While  we  recommend  a  full 
preemption  of  state  law  in  the  privacy  area,  we  understand  that  it  is  outside  of  the 
statutory  authority  for  HHS.  In  the  absence  of  full  preemption,  we  recommend 
HHS,  working  with  the  states,  prepare  a  detailed  analysis  of  state  and  federal  law 
to  provide  a  clear  guide  on  all  provisions  affecting  the  health  care  industry. 

It  is  critical  that  this  guidance  is  available  at  least  two  years  prior  to  the  effective 
date  of  the  regulation.  Bringing  operations  into  compliance  with  these  complex  new 
regulations  wUl  be  expensive  so  it  is  critical  that  doctors,  health  plans,  and  other 
covered  entities  only  have  to  modify  systems  and  other  items  once. 

(2)  Removal  of  Business  Partner  Provisions.  The  business  partner  provisions 
should  be  removed  from  the  regulation  because  they  are: 

•  Outside  of  the  Secretar/s  statutory  authority 

•  Unworkable  and  would  create  expensive  and  duplicative  monitoring  between 
doctors,  health  plans,  and  other  covered  entities 

•  Unnecessary  since  the  vast  majority  of  protected  health  information  is  main- 
tained by  organizations  that  are  covered  by  the  regulation. 

(3)  Change  the  Minimum  Necessary  Standard  from  Legal  Standard  to  Organiza- 
tional Objective:  While  we  beheve  the  minimum  necessary  standard  is  a  laudable 
goal,  we  are  concerned  that  it  would  be  impossible  to  implement  this  standard  oper- 
ationally and  comply  with  a  rigid  legal  standard.  Therefore,  we  recommend  that  or- 
ganizations include  the  minimum  necessary  standard  concept  as  an  objective,  rather 
than  as  a  legal  standard. 

(4)  Revise  Definition  of  Health  Care  Operations:  The  current  definition  of  health 
care  operations  is  static  and  missing  key  elements.  As  the  building  block  of  the  reg- 
ulation, this  definition  is  crucial  because  it  triggers  whether  or  not  new  authoriza- 
tions are  required,  disclosures  are  tracked,  and  other  important  issues.  Instead  of 
using  a  narrow,  prescriptive  definition,  we  recommend  inclusion  of  a  definition  that 
is  flexible  enough  to  incorporate  the  industry's  current  operations  as  well  as  new 
ones  that  develop  as  our  ability  to  improve  quality  and  other  areas  increase. 

(5)  Additional  Funding  for  Medicare  Contractors  and  other  Government  Programs. 
We  also  urge  congressional  appropriators  to  factor  the  additional  cost  of  privacy 
compliance  into  budget  development  regarding  the  Medicare  fee  for  service  contrac- 
tors, Medicare+Choice  plans,  the  Federal  Employees  Health  Benefit  Program,  and  i 
other  federal  programs.  | 
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VI.  Conclusion 

Once  again,  we  appreciate  the  opportunity  to  testify  before  you  on  this  critical 
issue. 

We  would  like  to  continue  working  with  you,  and  the  Department  of  Health  and 
Human  Services,  on  crsifting  privacy  rules  that  meet  our  common  go£ils  of  protecting 
consumers,  improving  quality,  and  minimizing  costs. 

Thank  you  again  for  this  opportunity  to  testify  on  this  important  issue. 


Chairman  Thomas.  Thank  you,  Ms.  Fox.  Ms.  Goldman? 

STATEMENT  OF  JANLORI  GOLDMAN,  DIRECTOR,  HEALTH  PRI- 
VACY PROJECT,  INSTITUTE  FOR  HEALTH  CARE  RESEARCH 
AND  POLICY,  GEORGETOWN  UNIVERSITY 

Ms.  Goldman.  Good  morning,  Mr.  Chairman,  Mr.  McDermott, 
members  of  the  subcommittee,  thank  you  very  much  for  testifying 
today. 

The  Health  Privacy  Project  at  Georgetown  was  created  a  number 
of  years  ago  to  look  at  the  impact  of  privacy  in  the  health  care  set- 
ting. We  have  since  participated  in  and  there  has  since  been  nu- 
merous polls  and  surveys  that  have  shown  that  the  lack  of  privacy 
in  health  care  has  been  a  major  barrier  to  people  seeking  care  and 
to  the  quadity  of  care  that  people  receive. 

Congress,  of  course,  acknowledged  that  concern  and,  in  the 
Hesdth  Insurauice  Portability  and  Accountability  Act,  you  imposed 
a  deadline  on  yourselves  to  address  this  issue  in  a  comprehensive 
way.  Of  course,  after  many  bills  were  introduced  and  many  hear- 
ings, many  of  which  were  held  by  this  subcommittee,  the  deadline 
did  pass  and  that  then  triggered  the  requirement  on  the  adminis- 
tration to  issue  regulations. 

They  did  extend  the  comment  period  based  on  our  request  and 
a  number  of  requests  of  those  sitting  here  at  this  table,  so  that  we 
had  a  full  chance  to  put  our  comments  in.  That  comment  period 
closes  today.  This  hearing  is  important  because  it  gives  us  again 
another  opportunity,  while  we  are  still  in  the  draft  stage,  to  make 
sure  that  this  is  as  strong  and  workable  a  regulation  as  possible. 

What  I  want  to  focus  on  in  my  testimony  are  two  areas.  One, 
there  are  gaps  in  the  Secretary's  proposed  regulation  that  are  there 
because  of  the  legal  constraints  on  her  delegation  of  authority  from 
HIPAA.  The  second  is  to  just  go  through  quickly  the  strengths  and 
weaknesses  in  the  proposed  regulation  itself 

There  are  three  major  gaps  in  the  regulation,  again  stemming 
from  the  delegation  of  authority  in  HIPAA.  They  have  already  been 
covered,  but  let  me  please  go  through  them  quickly.  The  issue  of 
electronic  versus  paper  records.  We  think  it  is  really  senseless  to 
have  a  rule  that  only  applies  to  electronic  records,  because  it  goes 
against  the  intention  in  HIPAA  which  is  to  create  a  uniform  stand- 
ard electronic  network.  And  you  do  not  want  to  create  a  disincen- 
I  tive  for  people  to  put  information  into  electronic  form  as  a  way  of 
'    avoiding  the  privacy  regulations. 

The  second  is  the  issue  of  covered  entities.  Some  of  the  concerns 
that  many  of  my  colleagues  have  about  how  the  regulation  is  draft- 
ed is  based  on  the  fact  that  the  administration  can  only  cover  three 
entities  directly,  the  plans,  the  providers,  and  the  clearing  houses. 
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So  the  scope  of  coverage  through  the  business  partners  language 
and  through  other  prohibitions  on  disclosure  is  in  there  as  a  way 
of  making  this  a  workable  regulation.  And  it  is  there  because  the 
screening  is  limited  in  what  she  is  able  to  do  in  terms  of  scope.  So 
I  think  that  is  an  important  issue  to  look  at. 

The  third  gap  obviously  is  on  enforcement.  We  are  very  con- 
cerned about  the  weak  enforcement  and  the  weak  remedies  that 
are  available  under  the  proposed  regulation.  Again,  HHS  was  con- 
strained because  of  HIPAA. 

We  do  think  though  that,  on  balance,  the  regulation  is  vitally  im- 
portant as  an  intermediary  step  and  I  say  that  recognizing  that 
Congress  still  has  a  very  important  role  to  play  in  both  filling  the 
gaps  and  strengthening  certain  provisions.  We  look  forward  to 
working  with  you  on  that.  I  think  the  regulation  will  set  a  baseline 
of  protection,  but  we  need  to  look  at  some  of  the  major  provisions 
that  are  being  proposed. 

One,  it  gives  people  the  right  to  see  their  own  records,  a  critical 
right,  one  that  is  not  uniformly  and  comprehensively  provided  for 
at  the  state  level.  The  regulation  itself  creates  an  overall  incentive 
to  use  de-identified  data.  Again,  if  you  create  de-identified  data, 
you  are  outside  the  scope  of  the  regulation.  It  provides  notice  to  pa- 
tients about  how  their  information  will  be  used  and  by  whom.  It 
provides  for  an  authorization  process. 

We  are  very  concerned,  however,  that  in  that  first  tier  of  author- 
izations, for  treatment,  pa5nnent,  and  health  care  operations,  the 
lack  of  any  opportunity  for  individuals  to  sign  a  form  either  saying 
"I  understand  how  my  data  is  going  to  be  used",  or  "I  am  authoriz- 
ing the  use  of  that  data" — which  is  essentially  what  the  status  quo 
is.  We  are  very  concerned  that  people  will  not  truly  understand 
how  their  information  is  flowing. 

While  the  business  partners  proposal,  is  awkward  in  many  ways, 
it  is  a  necessary  way  of  creating  a  chain  of  trust  in  how  informa- 
tion flows  and  to  whom.  In  many  ways,  it  is  codifying  what  is  al- 
ready good  business  practice.  You  clearly  do  not  disclose  informa- 
tion to  agents  or  others  without  entering  into  a  written  agreement 
about  how  that  information  will  be  used. 

On  research,  we  are  very  pleased  to  see  the  Secretar/s  proposal 
to  expand  either  the  institutional  review  board  structure  or  a  pri- 
vacy board  to  cover  all  research.  However,  we  would  like  to  see  it 
be  an  institutional  review  board. 

On  law  enforcement,  I  think  she  has  fallen  short  of  where  the 
regulation  needs  to  be.  It  appears  to  be  an  improvement  over  the 
initial  recommendation,  but  it  allows  for  a  kind  of — excuse  the  cli- 
che— a  Chinese  menu  of  choices  in  determining  what  kind  of  legal 
process  law  enforcement  needs  to  get.  We  think  that  must  be 
strengthened. 

On  remedies,  again  a  private  right  of  action  is  necessary  to  make 
this  an  effective  provision.  Clearly  that  is  an  important  area  for 
Congress  to  explore.  All  other  Federal  privacy  laws  include  a  pri- 
vate right  of  action. 

On  preemption,  I  want  to  address  some  of  the  comments  that  my 
colleagues  have  made  about  preemption.  We  did  a  survey  of  state 
confidentiality  laws  to  look  at  what  was  the  state  of  health  privacy 
right  now.  What  we  have  found  is  that  if  you  read  the  regulation 
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that  is  being  proposed,  you  will  create  significant  uniformity  in  how 
health  privacy  is  handled  at  the  state  level,  because  many  of  the 
laws  are  weaker  than  what  is  being  proposed  by  the  Secretary  at 
this  stage.  And  where  they  are  more  detailed  and  more  protective 
are  in,  for  the  most  part,  condition  specific  areas,  where  the  states 
have  gone  to  great  pains  to  enact  detailed  specific  provisions  deal- 
ing with  HIV,  with  mental  health,  with  reporting,  with  abuse  and 
neglect. 

And  so  our  state  report  essentially  shows  you  will  have  substan- 
tial uniformity  with  the  passage  of  a  Federal  law,  even  one  that 
sets  a  floor.  It  will  make  the  operation  of  the  health  care  system 
much  more  efficient,  more  cost  effective  and,  I  think,  more  fair. 

In  conclusion.  Congress  set  the  wheels  in  motion  for  where  we 
are  today  with  the  Secretary's  proposal.  I  think  it  was  an  impor- 
tant trigger  mechanism  so  that  we  would  have  something,  again  as 
an  intermediary  step. 

This  has  been  a  tough  issue  for  Congress.  There  are  lots  of  dif- 
ferent interests.  It  has  been  hard  to  find  consensus.  But  in  fulfill- 
ing the  legal  duty  imposed  under  HIPAA,  the  Secretary  has  pro- 
posed some  regulations  that  will  take  us  part  of  the  way. 

What  we  urge  is  for  Congress  to  take  us  the  rest  of  the  way,  to 
finish  the  job,  and  to  fill  the  gaps  and  to  strengthen  the  weak- 
nesses. In  the  meantime,  we  hope  that  the  proposed  regulation  will 
be  strengthened,  that  the  Secretary  will  have  an  opportunity  to  re- 
spond to  many  of  the  concerns  that  we  have  all  raised,  and  that 
you  have  raised  this  morning,  and  that  the  regulation  should  go 
forward. 

Thank  you  very  much.  f 
[The  prepared  statement  follows:] 

Statement  of  Janlori  Goldman,  Director,  Health  Privacy  Project,  Institute 
for  Health  Care  Research  and  Policy,  Georgetown  University 

/.  INTRODUCTION  AND  OVERVIEW 

Mr.  Chairman  and  Members  of  the  House  Subcommittee  on  Health  of  the  Com- 
mittee on  Ways  and  Means:  I  very  much  appreciate  the  invitation  to  testify  before 
you  today  on  the  Administration's  proposed  regulations  regarding  the  privacy  of  in- 
dividually identifiable  health  information. 

In  December  1997,  I  laimched  the  Health  Privacy  Project  at  the  Institute  for 
Health  Care  Research  and  Policy  and  Georgetown  University  Medical  Center.  The 
Project  is  dedicated  to  raising  pubhc  awareness  of  the  importance  of  ensuring  health 
privacy  in  order  to  improve  health  care  access  and  quality,  both  on  an  individual 
and  a  community  level. 

Congress  recognized  the  importance  of  protecting  health  privacy  when  it  passed 
the  Health  Information  Portability  and  Accountability  Act  of  1996.  HIPAA  requires 
that  if  Congress  failed  to  pass  comprehensive  health  privacy  legislation  by  August 
21,  1999,  the  Secretary  of  Health  and  Human  Services  must  issue  regulations  by 
February  21,  2000. 

Congress  did  in  fact  fail  to  meet  the  August  deadline.  Consistent  with  its  legal 
duty  imder  HIPAA,  the  Administration  did  issue  draft  health  privacy  regulations 
November  2,  1999.  The  comment  period  was  extended  to  February  17,  2000.  We  ex- 
pect the  regulations  to  be  finalized  in  April. 

The  proposed  federal  health  privacy  regulations  constitute  a  significant  step  to- 
wards restoring  the  pubhc  trust  and  confidence  in  our  nation's  health  care.  Tnese 
rules,  however,  are  by  no  means  the  final  solution.  By  virtue  of  the  limited  authority 
delegated  by  Congress,  the  proposed  rules  have  limited  applicabihty  and  cover  only 
health  plans,  health  care  clearinghouses  and  health  care  providers  who  transmit 
health  information  (";covered  entities")  in  electronic  form.  We  appreciate  the  fact 
that  the  Secretary  has  made  a  strong  effort  to  extend  this  coverage  to  a  covered  en- 
tity's business  partners.  But  a  large  segment  of  those  who  hold  health  information 
remains  beyond  the  scope  of  these  regulations. 
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Our  testimony  today  focuses  on  two  areas:  1)  the  limitations  of  the  Secretar^s  au- 
thority and  the  role  Congress  should  play  to  strengthen  the  final  rule  and  fill  re- 
maining gaps  in  protection,  and  2)  the  strengths  and  weaknesses  of  the  proposed 
regulation. 

II.  PUBLIC  NEED  AND  DEMAND  FOR  HEALTH  PRIVACY 

A  substantial  barrier  to  improving  the  quality  of  care  and  access  to  care  in  this 
country  has  been  the  absence  of  enforceable  privacy  rules.  People  are  withdrawing 
from  full  participation  in  their  own  health  care  because  they  are  afraid  their  health 
records  will  fall  into  the  wrong  hands,  and  lead  to  discrimination,  loss  of  benefits, 
stigma,  and  unwanted  exposure.  A  January  1999  survey  by  the  CaHfomia  Health 
Care  Foundation  found  that  one  out  of  every  six  people  engages  in  some  form  of 
privacy-protective  behavior  to  shield  themselves  from  the  misuse  of  their  health  in- 
formation, including  lying  to  their  doctors,  providing  inaccurate  information,  doctor- 
hopping  to  avoid  a  consolidated  medical  record,  paying  out  of  pocket  for  care  that 
is  covered  by  insurance,  and — in  the  worst  cases — avoiding  care  altogether.  (Survey 
released  by  the  California  HealthCare  Foundation,  January  1999) 

Without  trust  that  the  personal,  sensitive  information  they  share  with  their  doc- 
tors will  be  handled  with  some  degree  of  confidentiality,  people  will  not  fully  partici- 
pate in  their  own  health  care.  As  a  result,  they  risk  inadequate  care  or  undetected 
and  untreated  health  conditions.  In  turn,  the  integrity  of  research  and  public  health 
initiatives  that  rely  on  complete  and  accurate  patient  data  may  also  be  com- 
promised. Thus,  protecting  privacy  and  promoting  health  care  quality  and  access  are 
values  that  must  go  hand-in-hsmd. 

///.  THE  ROLE  CONGRESS  SHOULD  PLAY 

The  Secretary's  authority  to  promulgate  health  privacy  regulations  is  delegated  to 
her  in  the  Health  Insurance  Portability  and  Accountability  Act.  Due  to  the  con- 
straints imposed  on  her  authority  by  HIPAA,  the  practical  impact  is  that  the  draft 
regulation  falls  short  in  terms  of  scope  of  coverage  and  enforcement.  Congress 
should  act  swiftly  to  fill  these  gaps  to  ensure  that  Americans  have  strong  and  com- 
prehensive health  privacy  protections. 

A.  Who  is  Covered:  Scope  Should  be  Expanded 

The  draft  rules  issued  by  HHS  only  apply  to  certain  entities:  health  care  provid- 
ers, health  plans,  and  clearinghouses  (entities  that  process  and  transmit  claims 
data).  We  recognize  that  the  scope  of  entities  covered  by  the  regulations  is  limited 
by  the  terms  of  HIPAA,  and  that  the  Secretary  has  attempted  to  cover  as  many  en- 
tities as  possible  given  her  limited  delegated  authority.  By  limiting  the  regulations 
to  health  plans,  health  care  clearinghouses,  and  certain  health  care  providers,  how- 
ever. Congress  has  left  a  large  number  of  entities  unregulated,  leaving  gaps  in  the 
protection  afforded  health  information.  Many  providers,  researchers,  and  oversight 
agencies,  for  example,  will  not  be  subject  to  this  regulation  even  though  they  collect, 
use,  and  disclose  protected  health  information  that  identifies  individuals. 

The  Secretary  has  chosen  to  bind  some  non-covered  entities  to  the  principles  of 
the  draft  regulation  by  requiring  covered  entities  to  establish  contracts  with  busi- 
ness partners,  or  by  prohibiting  disclosures.  This  is  a  good  intermediary  step  to  ftd- 
fill  the  intention  of  the  privacy  language  of  HIPAA.  However,  this  approach  has  sig- 
nificant limits,  including  the  liability  borne  by  covered  entities,  and  the  difficulty 
in  prohibiting  re-disclosure  by  non-covered  entities. 

The  only  way  to  eliminate  these  gaps  is  for  Congress  to  enact  a  comprehensive 
health  privacy  law.  We  therefore  strongly  urge  Congress  to  pass  a  comprehensive 
health  privacy  law  applicable  to  all  those  who  generate,  maintain,  or  receive  pro- 
tected health  information. 

B.  What  is  Covered:  Paper  Records  Should  be  Protected 

The  draft  regulations  only  apply  to  electronic  health  information,  but  the  vast  ma- 
jority of  health  information  is  currently  maintained  in  paper  form.  We  believe  that 
the  Secretary  has  the  authority  to  extend  the  regulations  that  apply  to  all  health 
information — whether  it  is  maintained  in  paper  or  electronic  format — and  we  rec- 
ommend that  she  does  so. 

In  the  event  that  the  final  regulations  do  not  cover  paper  records,  we  believe  that 
it  is  appropriate  and  necessary  for  Congress  to  extend  the  protections  to  cover  all 
records  maintained  or  transmitted  by  covered  entities. 

The  vast  majority  of  health  information  is  currently  maintained  in  paper  form. 
As  proposed,  the  regulations  distinguish  between  health  information  that  at  some 
point  has  been  electronically  maintained  or  transmitted  and  that  which  has  not. 
This  distinction  is  nonsensical,  imworkable  and  unenforceable.  At  some  point,  some. 
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but  not  all,  of  the  information  in  the  record  may  be  transmitted  electronically. 
Under  the  current  proposal,  the  paper  record  woiild  then  contain  both  protected  in- 
formation (i.e.,  information  that  has  been  electronically  transmitted),  and  unpro- 
tected information  (information  which  has  not  been  so  transmitted).  It  would  be  bur- 
densome and  difficult  to  identify  and  designate  which  information  in  any  particular 
record  is  protected. 

It  would  be  easier  for  a  covered  entity  to  treat  all  information  it  maintains  or 
transmits  in  the  same  fashion.  Additionally,  for  enforcement  purposes,  it  may  prove 
difficult,  if  not  impossible,  to  establish  that  specific  health  information  at  some  point 
in  its  existence  has  been  transmitted  or  maintained  electronically  and,  therefore,  is 
subject  to  the  regulations.  The  best  way  to  reduce  these  implementation  and  en- 
forcement ambiguities  is  to  make  the  privacy  standards  applicable  to  all  individ- 
ually identifiable  health  information  transmitted  or  maintained  by  a  covered  entity 
regardless  of  its  form. 

Finally,  the  administrative  simplification  provisions  of  HIPAA  appear  to  encour- 
age the  development  of  a  uniform  computer-based  health  information  system.  This 
goal  is  impeded  by  allowing  paper  records  to  remain  beyond  the  scope  of  the  regula- 
tions. There  is  little  incentive  for  covered  entities  to  convert  to  computer-based 
health  information  systems  if  they  may  avoid  regulation  by  maintaining  paper- 
based  systems. 

C.  Enforcement:  Private  Right  of  Action  Needed 

Under  HIPAA,  the  Secretary  is  unable  to  confer  on  individuals  a  private  right  of 
action  in  the  event  the  rules  are  violated.  When  finalized,  the  regulation  will  be  dif- 
ficult for  HHS  to  oversee  and  enforce,  and  no  federal  remedy  will  be  available  to 
individuals.  Only  Congress  can  fill  these  significant  gaps. 

In  every  other  federal  law  that  protects  the  privacy  of  peoples'  records — fi'om  the 
Right  to  Financial  Privacy  Act  to  the  Video  Privacy  Protection  Act — Congress  has 
seen  fit  to  give  people  the  legal  right  to  go  to  court  to  seek  injunctive  relief  and  dam- 
ages when  the  law  has  been  violated.  The  remedies  available  under  the  proposed 
regulation  are  inadequate  to  ensure  that  the  law  will  be  fully,  and  forceftiUy,  en- 
forced. In  the  absence  of  a  set  of  meaningful  remedies,  a  real  danger  exists  that 
compliance  will  be  weak  and  spotty.  While  we  understand  the  recent  concern  over 
lawsuits,  we  are  imaware  of  significant  problems  that  have  resulted  from  the  rem- 
edies now  available  to  people  under  existing  federal  privacy  statutes. 

IV.  STRENGTHS  AND  WEAKNESSES  OF  THE  PROPOSED  REGULATION 

The  following  is  a  summary  of  the  major  provisions  of  the  proposed  regulation, 
with  our  comments.  The  Health  Privacy  Project  also  staffs  the  Consumer  Coalition 
for  Health  Privacy,  whose  mission  is  to  educate  and  empower  healthcare  consumers 
to  have  a  prominent  and  informed  voice  on  health  privacy  issues  at  the  federal, 
state,  and  local  levels.  (A  copy  of  the  principles,  Steering  Committee,  and  endorsing 
organizations  is  attached.  Information  is  also  available  at  http:// 
www.healthprivacy.org.)  Members  of  the  coalition  are  committed  to  the  development 
and  enactment  of  public  policies  and  private  standards  that  guarantee  the  confiden- 
tiality of  personal  health  information  and  promote  both  access  to  high  quality  care 
and  the  continued  viability  of  medical  research.  Funding  for  the  Consumer  Coalition 
is  provided  solely  by  the  Open  Society  Institute.  Many  members  of  the  Coalition  are 
planning  to  submit  their  own  comments  on  the  draft  Regulation.  Others  have  en- 
dorsed the  comments  submitted  by  the  Health  Privacy  Project  and  are  reflected  in 
the  comments  themselves. 

The  full  text  of  our  comments,  with  the  names  of  endorsing  organizations,  is  at- 
tached. (The  comments  are  also  available  at  http://www.healthprivacy.org.) 

A.  Who  is  Covered 

Again,  by  statute,  the  Secretary  can  directly  regulate  only  health  care  providers, 
health  plans  and  health  care  clearinghouses,  all  of  which  are  defined  as  "covered 
entities."  We  believe  that  the  most  effective  way  to  extend  the  scope  of  coverage  is 
through  a  comprehensive  health  privacy  law  that  covers  all  entities  that  use  and 
disclose  individually  identifiable  health  information. 

In  the  draft  regulation,  the  Secretary  attempts  to  address  this  statutory  weakness 
by  requiring  covered  entities  to  have  contracts  restricting  uses  and  disclosures  with 
their  "business  partners,"  i.e.,  certain  persons  and  organizations  to  whom  they  dis- 
close protected  health  information.  We  commend  the  Secretary  on  her  efforts  to  en- 
compass as  broad  a  field  as  possible  under  the  proposed  regulations.  In  our  complete 
comments,  we  suggest  ways  in  which  the  contracts  between  business  partners  might 
be  improved. 
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The  Secretary  also  attempts  to  address  the  circumstance  under  which  an  organi- 
zation provides  some  health  care  or  has  created  a  health  plan,  but  is  not  primarily 
engaged  in  these  activities  (such  as  a  school  that  has  an  infirmary).  Although  the 
Secretary  discusses  treating  only  the  health  care  component  as  a  "covered  entity," 
the  regulations  do  not  expressly  carry  out  this  intent.  We  suggest  that  this  intent 
to  designate  only  the  health  care  component  of  a  mixed  entity  as  a  "covered  entity" 
be  incorporated  in  the  regulations.  Additionally,  the  Secretary's  explanation  con- 
cerning employers  and  how  they  fit  into  the  regulatory  scheme  is  somewhat  confus- 
ing. We  suggest  that  the  Secretary  clarify  the  responsibilities  of  employers  that 
sponsor  health  plans. 

B.  What  is  Covered 

Again,  the  draft  regulation  currently  only  applies  to  health  information  main- 
tained and  transmitted  in  electronic  form.  We  beUeve  that  the  Secretary  currently 
has  the  authority  to  promulgate  regiilations  that  apply  to  all  health  information — 
whether  it  is  maintained  in  electronic  or  paper  format — ^used  and  disclosed  by  cov- 
ered entities. 

C.  Patients'  Access  to  their  Own  Health  Records 

The  draft  regulations  give  people  the  right  to  see  and  copy  their  own  health  infor- 
mation, and  to  request  that  it  be  corrected  or  amended.  We  commend  this  effort  to 
extend  these  fair  information  practices  to  health  information. 

We  beUeve,  however,  that  the  Secretary  has  used  a  somewhat  minimaUst  ap- 
proach towards  these  rights.  In  our  comments,  we  suggest  a  number  of  ways  in 
which  the  right  of  access  can  be  made  more  meaningful.  Our  major  suggestions  in- 
clude: 

•  The  decision  to  deny  an  individual's  request  for  access  to  his  health  information 
should  ultimately  be  made  by  a  health  care  provider  who  is  qualified  to  treat  the 
patient  for  the  condition  that  is  the  subject  of  the  health  information; 

•  There  should  be  a  meaningful  appeals  process  for  denials  of  access  to  health  in- 
formation; £Uld 

•  The  regulations  should  expressly  state  that  a  covered  provider  may  not  deny 
an  individual  access  to  his  protected  health  information  because  of  an  unpaid  biU 
for  health  care  services. 

D.  Notice  of  Information  Practices 

The  regulations  give  individuals  the  right  to  receive  adequate  notice  of  the  infor- 
mation practices  of  covered  plans  and  providers.  We  approve  of  this  approach.  We 
are  also  pleased  that  the  regulation  requires  the  notice  to  address  the  entit/s  exist- 
ing information  practices,  rather  than  possible  information  practices,  and  suggest 
that  this  component  of  the  regulation  be  preserved.  We  recommend  changes  that 
strengthen  the  notice  provisions,  including  a  requirement  that  covered  entities  make 
a  reasonable  effort  to  obtain  a  signed  acknowledgment  that  the  individual  has  re- 
ceived and  read  the  notice  of  information  practices. 

E.  Patient  Authorization 

The  proposed  rules  would  allow  health  information  to  be  used  and  shared  easily 
for  treatment,  payment  and  health  care  operations,  without  the  consent  of  the  pa- 
tient. While  we  understand  the  need  to  strike  a  balance  between  individuals'  pri- 
vacy rights  and  the  practical  necessity  of  using  and  disclosing  health  information 
for  certain  purposes,  we  beheve  that  the  proposed  regulations  give  too  Uttle  weight 
to  individual  rights.  Under  the  proposed  rules,  people  have  no  ability  to  control  or 
even  monitor  the  use  and  disclosure  of  protected  health  information  for  purposes  of 
treatment,  payment  and  health  care  operations.  We  find  this  particularly  disturbing 
given  the  Secretary's  proposed  construction  that  "treatment"  includes  the  treatment 
of  all  individuals,  not  just  the  individual  subject  of  the  information. 

•  The  regulations  should  require  authorization  from  the  individual  for  the  use 
and  disclosure  of  information  for  treatment,  pa3mient  and  health  care  operations, 
which  should  be  renewed  at  least  once  every  three  years  or  whenever  the  patient 
changes  insurance  compguiies,  whichever  occurs  first.  At  an  absolute  minimum,  cov- 
ered entities  should  have  the  option  to  require  patient  authorization  for  treatment, 
pajrment  and  health  care  operations. 

•  The  terms  "treatment"  and  "payment"  should  be  narrowly  interpreted  as  apply- 
ing to  the  individual  who  is  the  subject  of  the  information. 

•  The  definition  of  "treatment"  should  be  amended  to  ensure  that  disease  man- 
agement programs  are  only  conducted  with  the  authorization  of  the  treating  physi- 
cian. 
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•  The  regulation  should  expressly  state  that  the  term  "health  care  operations"  in- 
cludes only  disclosures  made  to  the  covered  entity  (or  a  business  partner  of  such 
entity)  on  whose  behalf  the  operation  is  being  performed. 

•  The  regulations  should  limit  the  definition  of  health  care  operations  to  include 
only  those  operations  that  cannot  be  carried  on  with  reasonable  effectiveness  and 
efficiency  without  protected  health  information. 

•  Health  care  providers  should  be  subject  to  the  verification  requirements  of  the 
regulations  when  the  request  for  information  for  treatment  purposes  originates  out- 
side of  the  covered  entity. 

We  support  the  regulations'  requirement  that  covered  entities  obtain  an  author- 
ization fi-om  the  individual  for  most  uses  and  disclosures  that  are  not  directly  relat- 
ed to  treatment,  payment  or  health  care  operations.  We  also  strongly  agree  that  con- 
sent must  be  voluntary,  and  cannot  be  tied  to  the  delivery  of  any  benefits  or  serv- 
ices. In  addition  to  these  requirements,  we  recommend  that  covered  entities  be  re- 
quired to  obtain  individual  authorization  prior  to  making  certain  disclosures  of  in- 
formation pertaining  to  an  individual's  request  or  receipt  of  sensitive  health  serv- 
ices. 

F.  Minimum  Necessary 

The  proposed  regulation  requires  organizations  to  "make  all  reasonable  efforts  not 
to  use  or  disclose  more  than  the  minimum  amount  of  protected  health  information 
necessary  to  accomplish  the  intended  purpose  of  the  use  or  disclosure."  We  believe 
that  this  is  the  proper  approach  but  that  it  does  not  go  far  enough  because  it  does 
not  apply  to  a  large  number  of  uses  and  disclosures.  We  urge  the  Secretary  to  ex- 
tend this  minimization  requirement  to  most  uses  and  disclosures. 

G.  Patient's  Right  to  Restrict  Disclosures 

The  proposed  regulations  give  an  individual  the  right  to  request  restrictions  on 
the  use  and  disclosure  of  protected  health  information  for  purposes  of  treatment, 
payment,  and  health  care  operations.  That  request  can  only  be  made  to  a  health 
care  provider,  and  it  must  be  agreed  to  by  that  provider.  We  suggest  that  the  regu- 
lations be  amended  in  the  following  ways: 

•  Allow  individuals  to  have  a  true  right  to  restrict  (not  just  the  right  to  request 
restrictions  on)  the  use  and  disclosure  of  their  protected  health  information  where 
the  disclosure  of  that  information  could  jeopardize  the  safety  of  the  individual. 

•  Allow  individuals  who  pay  for  their  own  medical  care  (self-pay)  to  have  a  true 
right  to  restrict  the  disclosure  of  their  protected  health  information. 

•  Allow  individuals  to  require  or  request  restrictions  from  all  covered  entities,  not 
just  health  care  providers. 

•  Require  all  covered  entities  that  receive  health  care  information  that  are  subject 
to  a  restriction  to  comply  with  the  restriction. 

H.  Psychotherapy  Notes 

We  strongly  commend  the  Secretary  for  excepting  psychotherapy  notes  from  the 
general  rule  allowing  for  the  fi:'ee  flow  of  information  for  treatment,  payment  and 
health  care  operations  purposes.  The  proposed  regulations  limit  access  to  psycho- 
therapy notes,  absent  specific  consent  from  the  individual.  We  believe,  however,  ad- 
ditional protections  are  critical  for  ensuring  the  level  of  privacy  essential  for  effec- 
tive mental  health  care. 

7.  Law  Enforcement 

While  we  acknowledge  the  positive  shift  in  the  Secretary's  approach  from  her 
1997  position  that  law  enforcement  should  continue  to  have  unfettered  access  to 
medical  records,  this  current  proposal  continues  to  fall  far  short  of  meaningful 
standards.  We  urge  that  the  final  regulation: 

•  Require  that  law  enforcement  officials  obtain  legal  process  issued  by  a  neutral 
magistrate,  and 

•  Require  that  legal  process  issue  only  after  the  magistrate  has  apphed  a  strong 
legal  standard  in  weighing  the  request. 

J.  Health  Oversight 

We  believe  it  is  critical  for  the  Secretary  to  clearly  distinguish  between  law  en- 
forcement access  and  access  to  conduct  health  oversight  activities. 

We  are  also  deeply  concerned  that  the  health  oversight  section  contains  too  few 
limits  on  access  and  reuse  of  protected  health  information.  In  particular,  we  believe 
that  where  health  information  is  used  in  a  health  oversight  investigation,  there 
should  be  a  prohibition  on  the  re-use  and  re-disclosure  of  protected  health  informa- 
tion in  actions  against  individuals.  Such  a  limit  is  essential  to  ensure  that  the  rel- 
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atively  easy  access  afforded  to  health  oversight  officials  does  not  become  the  back- 
door for  law  enforcement  access. 

While  this  prohibition  may  be  beyond  the  Secretary's  authority  in  this  regulation, 
we  do  beUeve  that  the  Executive  Branch  is  empowered  to  issue  an  Executive  Order 
barring  the  re-use  and  re-disclosure  of  protected  health  information  obtained  pursu- 
ant to  oversight.  Such  an  order  would  establish  legally  enforceable  limits  directly 
on  the  federal  employees  charged  with  executing  health  oversight  responsibihties. 

K.  Research 

We  support  the  general  approach  towards  research  in  the  regulations.  We  are 
pleased  that  the  regulation  aims  to  establish  uniform  rules  for  researchers  regard- 
less of  the  source  of  funding.  The  regulation  seeks  to  accomplish  this  goal,  however, 
by  allowing  covered  entities  to  disclose  protected  health  information  to  researchers 
without  patient  authorization  if  the  disclosure  has  been  approved  by  an  Institu- 
tional Review  Board  (IRB),  or  a  newly  created  privacy  board.  We  believe  that  the 
Secretary  should  eliminate  the  option  of  using  a  privacy  board. 

If  the  regulation  does  not  bring  all  research  imder  the  Common  Rule,  the  pro- 
posed regulation  should  be  revised  to  ensure  that  there  are  similar  standards  and 
equal  oversight  and  accoimtability  for  both  IRBs  and  privacy  boards. 

L.  Enforcement 

We  recognize  that  the  Secretary  is  limited  in  addressing  enforcement  mechanisms 
by  the  delegation  of  authority  in  HIPAA.  Thus,  it  is  critical  that  the  Congress  act 
to  grant  people  a  private  right  of  action  to  enforce  their  rights  imder  this  regulation. 

M.  Preemption 

We  strongly  support  the  approach  in  HIPAA  and  the  proposed  regulations  that 
the  federal  privacy  regulations  will  act  as  a  floor,  but  not  a  ceiling,  on  privacy  pro- 
tections afforded  by  the  States.  Under  this  approach,  weaker  State  health  privacy 
laws  are  preempted  (or  overridden)  while  State  laws  that  offer  more  protection  than 
the  federal  regulations  will  remain.  Furthermore,  this  approach  allows  a  State,  in 
the  future,  to  enact  stronger  privacy  protections  to  meet  the  changing  needs  of  its 
citizens. 

We  beheve  that  the  regulations  should  provide  definitions  of  the  terminology  used 
in  the  preemption  provisions  for  general  purposes,  not  just  for  use  in  the  Secretary's 
advisory  opinions.  We  also  beUeve  that  the  regulation  should  treat  state  laws  per- 
taining to  disclosures  about  minors  the  same  as  other  state  laws  generally,  preempt- 
ing state  laws  that  are  contrary  to  the  proposed  rule  and  less  protective  of  the  pri- 
vacy of  minors.  Lastly,  we  are  very  concerned  about  the  breadth  of  the  provision 
under  which  a  State  may  request  a  waiver  that  would  allow  a  weaker  State  health 
privacy  law  to  stand,  essentially  making  the  analogous  federal  regulation  inapplica- 
ble in  that  State. 

y.  CONCLUSION 

On  bed£ince,  we  believe  that  the  proposed  health  privacy  regulations  are  a  signifi- 
cant and  vitally  important  step  towards  guaranteeing  the  American  pubhc  a  greater 
degree  of  privacy  protection  for  their  medical  records.  When  finaUzed,  the  regulation 
will  be  the  first  comprehensive  federal  rules  on  health  privacy,  establishing  a  mini- 
mum set  of  standards  by  which  health  care  providers,  health  plans,  and  others, 
must  comply.  As  such,  the  regulations  will  not  only  foster  greater  public  trust  and 
confidence  in  our  nation's  health  care  system,  but  they  will  also  bring  much-needed 
uniformity  and  predictability  to  the  privacy  rules  that  must  be  adhered  to  across 
the  coimtry.  Most  importantly,  the  regulation  will  establish  greater  uniformity  while 
leaving  states  the  flexibility  to  act  on  behalf  of  their  residents  and  augment  the  reg- 
ulation as  needed. 

We  do  believe  that  it  is  crucial  for  Congress  to  act  to  fill  the  gaps  in  the  proposed 
rule:  the  regulation  should  be  extended  to  cover  all  medical  information,  whether 
paper  or  electronic  form;  the  regulation  should  cover  all  of  those  who  generate, 
maintain  or  receive  protected  health  information;  and  the  regulation  should  include 
a  private  right  of  action. 

[An  attachment  is  being  retained  in  the  Committee  files.] 


Chairman  Thomas.  Thank  you  very  much,  Ms.  Goldman.  Ms. 
Grealy? 
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STATEMENT  OF  MARY  R.  GREALY,  PRESIDENT,  HEALTHCARE 
LEADERSHIP  COUNCIL 

Ms.  Grealy.  Mr.  Chairman  and  members  of  the  subcommittee, 
thank  you  for  this  opportunity  to  testify  regarding  the  proposed 
HHS  regulations  regarding  the  confidentiahty  of  patient  informa- 
tion. I  am  Mary  Greafy,  President  of  the  Healthcare  Leadership 
Council. 

The  HLC  is  an  organization  of  chief  executives  of  the  Nation's 
most  respected  health  care  companies  and  institutions.  The  views 
I  express  today  are  those  of  innovative  leaders  from  the  full  spec- 
trum of  American  health  care,  health  plans,  physicians,  hospitals, 
universities,  pharmaceutical,  biotechnology,  and  medical  device 
manufacturers.  Our  members  formed  the  Healthcare  Leadership 
Council  to  promote  their  vision  of  a  consumer  centered  health  sys- 
tem that  offers  accessible,  affordable  health  care  of  the  highest 
quality. 

The  HLC  has  led  a  broad-based  coalition  of  90  organizations  and 
has  sought  to  apply  this  vision  to  the  issue  of  patient  confidential- 
ity. Our  goal  has  been,  and  continues  to  be,  legislation  that  estab- 
lishes strong,  uniform.  Federal  standards  to  protect  the  confiden- 
tiality of  patient  information. 

We  share  the  desires  of  the  administration  and  many  members 
of  Congress  in  this  regard.  Our  members  know  firsthand  how  im- 
portant it  is  that  patients  have  trust  that  their  medical  information 
will  be  kept  confidential  and  disclosed  only  when  appropriate. 

We  appreciate  and  applaud  you,  Mr.  CJhairman,  and  Congress- 
man Cardin  for  your  efforts  to  move  us  closer  to  the  very  necessary 
uniform  Federal  standards  for  privacy. 

In  the  absence  of  legislation,  however,  we  concentrate  on  the 
matter  at  hand,  the  regulations  proposed  by  Health  and  Human 
Services.  We  share  the  goal  of  members  of  this  committee  and  of 
the  regulations  that  they  must  achieve  a  critical  balance.  We  must 
give  patients  confidence  that  their  medical  information  will  be  kept 
confidential  and  that  those  who  violate  the  patient's  privacy  will  be 
subjected  to  strong  penalties. 

At  the  same  time,  we  must  ensure  that  no  regulatory  barriers 
will  be  erected  to  obstruct  the  flow  of  information  that  has  led  to 
virtually  every  health  care  advance  that  has  saved  and  enhanced 
lives.  Can  we  achieve  confidentiality  protection  without  establish- 
ing costly  regulatory  burdens  that  will  divert  important  resources 
away  from  patient  care?  Striking  that  balance  is  the  standard  that 
these  regulations  must  meet. 

We  have  determined  that  in  certain  critical  aspects  they  fall 
short  of  reaching  that  balance.  While  there  are  a  number  of  very 
positive  aspects  to  these  regulations  that  we  can  endorse,  there  are 
also  some  ambiguities,  gaps  and,  in  some  instances,  explicit  lan- 
guage that  will  make  compliance  difficult  if  not  impossible  and  will 
have  a  detrimental  effect  on  the  quality  and  safety  of  patient  care. 

Let  me  make  clear  at  the  outset  that  we  support  the  Depart- 
ment's approach  of  permitting  patient  information  to  be  used  for 
payment,  treatment,  and  health  care  operations  without  requiring 
individual  authorizations.  When  individual  hospitals  and  other  pro- 
viders experience  millions  of  patient  encounters  every  day,  seeking 
individual  authorizations  to  disclose  information  for  each  of  those 
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encounters  would  have  a  catastrophic  effect  on  our  health  care  sys- 
tem and  patient  care  delivery. 

Under  tab  one  of  my  testimony  is  a  chart  that  illustrates  the 
many  integrated  components  of  our  complex  health  care  delivery 
system.  Requiring  those  separate  authorizations  would  impede  the 
flow  of  information  that  is  needed  for  the  various  activities,  such 
as  lab  tests,  ordering  prescriptions,  immunization  programs,  and  a 
variety  of  other  encounters,  as  well. 

HHS  has  handled  this  important  issue  properly,  and  we  endorse 
the  approach  that  they  have  taken.  Now  let  me  address  some  of  the 
aspects  of  the  regulation  that  we  cannot,  at  this  time,  support.  My 
full  written  testimony  addresses  this  in  much  more  detail,  but  let 
me  focus  on  just  five  areas  this  morning. 

Number  one,  these  regulations  become  unworkable  by  attempt- 
ing to  restrict  all  uses  of  information  as  opposed  to  the  disclosure 
of  information.  We  agree  that  the  limits  on  disclosure  are  necessary 
and  appropriate,  but  attempting  to  regulate  all  uses  creates  a  myr- 
iad of  problems. 

Let  me  put  this  into  prospective.  It  is  inconceivable  that  regu- 
lators in  Washington  today  can  predict  and  define  today  what  nec- 
essary use  of  patient  information  will  be  six  months  fi:-om  now, 
much  less  six  years  from  now.  An  attempt  to  do  so  will  really  have 
a  chilling  effect  on  the  efforts  to  develop  beneficial  new  uses  of  pa- 
tient information. 

Number  two,  these  regulations  raise  questions  as  to  whether 
population  data  can  be  used  without  unreasonable  restrictions  to 
support  patient  treatment  and  important  health  care  activities.  For 
example,  many  health  plans  today  review  their  entire  enroUee 
database  and  analyze  patterns  of  emergency  room  visits  and  phar- 
maceutical usage  to  identify  those  patients  who  can  benefit  fi:-om 
asthma  management  programs.  These  are  the  kinds  of  things  that 
perhaps,  if  this  regulation  is  not  implemented  appropriately  or  is 
not  clear  enough,  would  be  prevented  and  necessary  treatment 
would  not  be  given. 

Number  three,  there  is  a  two  word  phrase  in  these  regulations 
that  can  have  a  major  detrimental  impact  on  patient  care.  That 
phrase  is  minimally  necessary.  These  rules  stipulate  that  the  cov- 
ered entity  must  individually  review  every  legitimate  request  for 
patient  information  and  provide  only  that  information  that  is  mini- 
mally necessary.  We  have  heard  that  discussed  today  in  the  ques- 
tion and  answer  period,  but  I  think  you  can  detect  that  this  would 
be  a  very  burdensome  requirement  given  the  many  patient  encoun- 
ters that  occur  in  our  health  care  system. 

Really  a  catch-22  exists  here  where  you  perhaps  would  have  phy- 
sicians that  might  be  reviewing  that  request  or  nurses  that  are 
doing  the  review  of  those  patient  records.  They  would  be  experts, 
but  that  would  be  a  real  diversion  away  fi:-om  patient  care  in  using  : 
those  resources.  If  we  decide  not  to  use  a  physician  or  a  nurse,  and 
we  have  others  do  it,  there  is  a  real  chance  that  critical  information 
would  not  be  transmitted  if  they  are  trying  to  apply  that  minimally 
necessary  rule. 

Number  four,  it  is  also  troublesome  that  the  regulations  are  re-  | 
quiring  the  cumbersome  use  of  individual  authorization  for  re- 
search unrelated  to  treatment.  It  is  not  clear  what  that  phrase  un- 
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related  to  treatment  means.  Again,  you  have  heard  earlier  today 
some  of  the  concerns  raised  about  the  use  of  that  information  and 
the  need  for  having  it  for  medical  research  that  is  critical  to  our 
health  care  delivery  system. 

Finally,  Mr.  Chairman,  it  is  clear  in  reviewing  these  regydations, 
that  HHS  has  tremendously  imderestimated  the  cost.  I  think  Blue 
Cross  Blue  Shield  has  highlighted  that  very  well  in  their  testimony 
and  the  study  that  they  had  done.  The  cost  burden  could  have  a 
very  serious  effect  on  the  cost  of  health  care  and  the  delivery  cost, 
and  also  on  the  access  to  health  insurance  coverage,  about  which 
we  are  all  very  concerned. 

In  this  vein,  it  needs  to  be  emphasized  that  the  Secretary  really 
has,  we  believe,  reached  beyond  her  authority  by  requiring  covered 
entities  to  apply  these  regulations  in  contracts  with  their  business 
partners,  and  to  monitor  their  business  partners'  activities.  We  also 
believe  that  it  is  outside  the  Secretar/s  authority  to  impose  an  im- 
plied private  right  of  action,  as  we  think  has  been  done  in  these 
regulations. 

It  is  imperative,  we  believe,  that  there  be  a  national  uniform 
standard  that  will  provide  certainty  and  clarity  to  all  who  are  in- 
volved in  the  health  care  delivery  system,  patients,  providers,  re- 
searchers and  plans. 

We  look  forward  to  working  with  members  of  this  committee  and 
Congress,  and  also  working  with  HHS  as  they  produce  this  regula- 
tion, to  see  if  we  can  come  up  with  some  constructive  recommenda- 
tions. And  we  think  we  have  done  that  in  the  comments  that  we 
have  submitted.  We  look  forward  to  working  with  you  and  with  the 
Department  on  this  very  important  issue.  Thank  you. 

[The  prepared  statement  follows:] 

Statement  of  Mary  R.  Grealy,  President,  Healthcare  Leadership  Council 

Mr.  Chairman  and  members  of  the  Subcommittee,  thank  you  for  this  opportunity 
to  testify  regarding  the  proposed  HHS  regulations  governing  the  confidentiaHty  of 
patient  information. 

The  Healthcare  Leadership  Council  is  the  organization  of  chief  executives  of  the 
nation's  most  respected  health  care  companies  and  institutions.  The  views  I  express 
today  are  those  of  the  innovative  leaders  from  the  ftdl  spectrum  of  American  health 
care — health  plans,  physicians,  hospitals,  universities,  pharmaceutical,  bio- 
technology and  medical  device  manufacturers.  Our  members  formed  the  HLC  to  pro- 
mote their  shared  vision  of  a  consumer  centered  system  that  offers  accessible,  af- 
fordable health  care  of  the  highest  quahty. 

The  HLC  has  led  a  broad-based  coaUtion  of  90  organizations  that  has  sought  to 
apply  this  vision  to  the  issue  of  patient  confidentiality.  My  testimony  this  morning 
is  on  behalf  of  HLC.  Our  goal  has  been,  and  continues  to  be,  legislation  that  estab- 
Hshes  strong  uniform  federal  standards  to  protect  the  confidentiality  of  patient  in- 
formation. We  share  the  desires  of  the  Administration  and  many  members  of  Con- 
gress in  this  regard.  Our  members  know  first  hand  how  important  it  is  that  patients 
have  trust  that  their  medical  information  will  be  kept  confidential  and  disclosed 
only  where  appropriate. 

We  appreciate  and  applaud  you,  Mr.  Chairman,  and  Congressman  Cardin  for  your 
joint  efforts  to  move  us  closer  to  those  very  necessary  uniform  standards. 

In  the  absence  of  legislation,  however,  we  concentrate  on  the  matter  at  hand,  and 
apply  our  consumer-centered  health  care  principles  to  the  regulations  proposed  by 
HHS.  We  share  the  goal  of  members  of  this  Committee  that  these  regulations  must 
achieve  a  critical  balance.  Are  we  giving  patients  confidence  that  their  medical  in- 
formation will  be  kept  confidential,  and  that  those  who  violate  a  patient's  privacy 
will  be  subjected  to  strong  penalties?  And,  at  the  same  time,  are  we  ensuring  that 
no  regulatory  barriers  will  be  erected  to  obstruct  the  flow  of  information  that  has 
led  to  virtually  every  health  care  advance  and  breakthrough?  Can  we  achieve  con- 
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fidentiality  protections  without  establishing  costly  regulatory  burdens  that  will  di- 
vert important  resources  away  from  patient  care? 

Striking  that  balance  is  the  standard  these  regulations  must  meet,  Mr.  Chairman, 
and  we  have  determined  that,  in  certain  critic^  aspects,  they  fall  short.  There  are 
a  number  of  positive  aspects  to  these  regulations  that  we  can  endorse.  There  are, 
however,  ambiguities,  gaps  and,  in  some  cases,  expUcit  language  that  will  make 
compliance  difficult,  if  not  impossible,  and  will  have  a  detrimental  effect  on  the 
quality  and  safety  of  patient  care. 

Let  me  make  it  clear  at  the  outset  that  we  support  the  Department's  approach 
of  permitting  patient  information  to  be  used  for  payment,  treatment  and  health  care 
operations  without  requiring  the  use  of  individual  authorizations.  When  individual 
hospitals  and  providers  experience  milhons  of  patient  encounters  every  day,  seeking 
an  individual  authorization  to  disclose  information  for  each  of  those  encoimters  -and 
the  transactions  resulting  from  them — would  have  a  catastrophic  effect  on  our 
health  care  system  and  on  patient  care. 

Tab  one  of  my  testimony  is  a  chart  that  illustrates  the  many  integrated  compo- 
nent parts  of  our  health  care  system.  Requiring  separate  authorizations  would  im- 
pede the  flow  of  information  needed  for  various  activities  such  as  lab  tests,  ordering 
prescriptions,  inmiunization  programs,  medical  research  and  case  and  disease  man- 
agement, just  to  name  a  few. 

HHS  has  handled  this  important  issue  properly,  and  we  endorse  their  proposed 
poUcy  in  this  regard. 

Let  me  address,  though,  the  aspects  of  these  regulations  that  we  cannot,  in  the 
name  of  quality  health  care,  support.  My  full  written  testimony  addresses  our  com- 
ments in  greater  detail,  but  allow  me  to  highlight  this  morning  five  areas  of  particu- 
lar concern. 

Nimiber  one,  these  regulations  become  imworkable  when  they  attempt  to  restrict 
all  uses  of  patient  information,  as  opposed  to  disclosure  of  information.  We  agree 
that  hmits  on  disclosure  are  necessary  and  appropriate.  Attempting  to  regulate  all 
uses,  however,  particularly  uses  within  an  entity,  creates  a  myriad  of  problems. 

For  example,  the  regulations  create  a  finite  list  of  narrowly-defined  activities  for 
which  data  can  be  used  without  individual  authorization. 

Let's  put  this  into  perspective.  In  the  field  of  health  care,  there  have  been  more 
new  strides,  developments  and  breakthroughs,  more  new  ideas,  practices  and  ap- 
proaches in  the  last  five  years  than  in  the  previous  25  years  combined.  It  is  incon- 
ceivable that  regulators  in  Washington  can  predict  and  define  today  what  a  nec- 
essary use  of  patient  information  wall  be  six  months  from  now,  let  alone  six  years. 
And  to  attempt  to  do  so  could  have  a  chiUing  effect  on  our  efforts  to  develop  bene- 
ficial new  uses  of  patient  data. 

Number  two,  these  regulations  raise  questions  as  to  whether  population  data  can 
be  used,  without  unreasonable  restriction,  to  support  patient  treatment  and  impor- 
tant health  care  activities.  For  example,  many  health  plans  today  will  review  their 
entire  enroUee  database  and  analyze  patterns  of  emergency  room  visits  and  pharma- 
ceutical usage  to  identify  those  patients  who  can  benefit  from  an  asthma  manage- 
ment program.  These  regulations  are  ambiguous,  at  best,  as  to  whether  this  would 
continue  to  be  an  acceptable  use  of  patient  information  without  first  obtaining  an 
individual's  authorization.  If  it  is  not,  too  many  Americans  will  continue  to  suffer 
needlessly  from  treatable  chronic  conditions. 

Number  three,  there  is  a  two-word  phrase  in  these  regulations  that  can  have  a 
major  detrimental  impact  on  patient  care.  That  phrase  is  "minimally  necessaiy." 
These  rules  stipulate  that  the  covered  entity  must  individually  review  every  legiti- 
mate request  for  patient  information  and  provide  only  that  information  that  is  mini- 
mally necessary. 

Beyond  the  burdensome  nature  of  this  requirement  -and  imagine,  for  just  one  hos- 
pital handling  hundreds  of  thousands  of  information  transactions  a  year,  how  costly 
and  time-consuming  it  will  be — it  creates  a  problematic  catch-22.  If  those  reviewing 
the  information  are  not  medical  professionals,  you  run  the  real  risk  of  excising  infor- 
mation that  can  be  critically  important  to  a  physician  or  a  medical  researchers.  If, 
on  the  other  hand,  you  assign  trained  nurses  and  physicians  to  review  data  to  deter- 
mine what  is  minimally  necessary,  you  are  taking  vital  resources  away  from  patient 
care.  In  either  case,  information  critical  to  treatment  and  research  could  be  with- 
held. That  could  expose  patients  to  harm. 

The  minimally  necessary  standard,  as  proposed,  simply  will  not  work. 

Number  four,  it  is  also  troublesome  that  the  regulations  require  the  cumbersome 
task  of  individual  authorizations  for  research  imrelated  to  treatment.  What  does 
that  phrase  mean — ^research  unrelated  to  treatment?"  The  regulations  are  not  clear, 
and  that  ambiguity  coTild  lead  to  restrictions  down  the  Une  that  undermine  vital 
medical  research.  What  we  do  know  is  that  the  great  research  faciUties  of  this  coim- 
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try — the  Mayo  Clinic,  Johns  Hopkins  and  so  many  others — do  extensive  medical  re- 
search that  is  not  targeted  to  a  particular  disease  or  condition  but  that  results  in 
unforseen  and  unanticipated  health  breakthroughs.  No  regulation  should  inhibit  or 
undermine  this  type  of  research.  I  have  detailed  other  concerns  with  the  rule's  re- 
search provisions  in  my  written  testimony. 

And,  finally,  Mr.  Chairman,  it  is  clear  in  reviewing  these  regulations  that  HHS 
has  tremendously  underestimated  the  impact  of  these  rules  on  health  care  costs. 
The  total  estimated  compliance  cost  of  $3.8  billion  over  five  years  fails  to  account 
for  several  new  requirements  found  in  these  pages.  The  cost  of  personnel  to  deter- 
mine the  minimally  necessary  amount  of  information  to  be  disclosed.  Requiring 
health  care  providers  to  monitor  the  practices  of  their  business  partners.  Estabhsh- 
ing  and  operating  federally-mandated  privacy  boards.  The  list  goes  on  and  on,  Mr. 
Chairman,  and  the  bill  to  patients,  providers  and  the  employers  who  provide  health 
coverage  will  be  a  high  one. 

In  tlus  vein,  it  needs  to  be  emphasized  that  the  Secretary  has  reached  beyond  her 
authority  by  requiring  covered  entities  to  apply  these  regulations  in  contracts  with 
their  "business  partners"  and  to  monitor  those  business  partners'  activities.  And,  it 
is  outside  the  Secretary's  authority  to  provide  an  implied  private  right  of  action  not 
envisioned  by  HIPAA. 

Ultimately,  as  I  mentioned  earlier,  we  hope  that  Congress  will  pass  comprehen- 
sive confidentiahty  legislation.  As  well  intentioned  as  these  regulations  are,  the  De- 
partment cannot,  under  the  HIPAA  law,  preempt  state  laws  that  are  contrary  to  or 
stricter  than  the  federal  rules.  Thus,  as  illustrated  in  Tab  two  of  my  testimony,  we 
wiU  continue  to  have  a  situation  in  which  the  simple  act  of  filling  a  prescription 
can  involve  the  separate  and  sometimes  contradictory  confidentiality  laws  of  half  a 
dozen  or  more  states. 

A  nationally  uniform  standard  would  provide  certainty  and  clarity  for  all  involved 
in  the  health  care  delivery  system — patients,  providers,  researchers  and  plans. 

We  wish  to  continue  to  work  with  you,  Mr.  Chairman,  and  the  members  of  this 
committee  to  advocate  a  legislative  approach  that  will  protect  confidentiahty  while, 
at  the  same  time,  allow  the  free  flow  of  information  that  saves  lives  and  ensures 
quahty  health  care  for  the  American  people. 

We  will  also  continue  to  work  with  HHS  on  its  regulation  and  have  submitted 
what  we  hope  are  constructive  comments  to  improve  this  rule. 

Again,  thank  you  for  this  opportunity  to  testify  today. 

Summary  ofHLC  Comments  on  the  Proposed  HHS  Regulations 

Since  enactment  of  HIPAA,  which  set  in  motion  this  debate,  the  HLC  has  sup- 
ported several  general  principles:  (1)  Patient  information  should  be  protected,  safe- 
guards should  be  provided,  and  patients  shoxild  have  access  to  their  own  records; 
(2)  clear  boundaries  should  be  set  around  disclosure  of  patient  information;  (3)  pen- 
alties for  violating  these  requirements  should  be  imposed;  (4)  patient  information 
should  be  available  for  research;  and,  (5)  a  nationally  uniform  set  of  standards 
should  replace  the  "crazy  quilt"  of  conflicting,  confusing,  and  sometimes  harmful, 
state  laws. 

The  HLC  has  thoroughly  reviewed  the  proposed  HHS  regulations  and  has  submit- 
ted extensive  comments  from  a  broad  industry-wide  perspective  on  aspects  of  the 
rule  we  support,  and  others  that  we  cannot  support  without  substantial  modifica- 
tions. The  following  will  highlight  our  comments  on  the  proposed  rule. 

Aspects  Of  The  Proposed  Rule  HLC  Supports 

Allowing  Disclosure  I  Use  Without  Authorization  For  Appropriate  Activities 

The  HLC  supports  the  Department's  approach  of  permitting  patient  information 
to  be  used  for  payment,  treatment,  and  healthcare  operations  without  requiring  en- 
tities to  obtain  individual  authorizations.  This  so-caUed  "statutory  authorization" 
approach  is  clearly  correct.  Alternative  approaches  requiring  separate  authoriza- 
tions fi:'om  the  individual  each  time  information  is  disclosed  or  used  for  appropriate 
health  care  activities  would  seriously  disrupt  our  health  care  system  and  harm  pa- 
tient care. 

For  example,  providers  routinely  order  tests  and  other  services  through  imrelated 
providers  (such  as  laboratories  or  radiology  services),  not  all  of  which  have  contact 
with  a  patient.  Family  members  routinely  pick  up  prescriptions  for  a  sick  family 
member  at  home.  Each  of  these  potential  exchanges  of  information  could  be  subject 
to  separate  authorizations  by  the  individual  under  multiple  authorization  schemes. 
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Health  plans  often  cover  spouses,  dependents,  and  even  children  not  living  with 
the  parent  who  subscribes  to  the  plan.  Collecting  authorizations  from  these  individ- 
uals could  create  serious  obstacles  for  the  delivery  of  health  care  services. 

The  potential  harm  caused  by  such  multiple  authorization  schemes  is  not  idle 
speculation.  Maine  passed  such  a  law  that  was  so  disruptive  it  was  repealed  in  an 
"emergency^'  bill  just  14  days  after  taking  effect. 

Some  Americans  still  view  our  health  care  delivery  system  as  the  relationship  be- 
tween patient,  doctor,  hospital,  and  pharmacist.  The  reahty,  of  course,  is  that  our 
system  has  evolved  into  a  highly  integrated,  complex,  and,  as  a  result,  better  dehv- 
ery  system.  Tab  one  of  HLC's  testimony  illustrates  the  many  integrated  component 
parts  of  our  health  care  system.  Requiring  separate  authorizations  to  allow  informa- 
tion to  move  among  these  components  would  be  highly  disruptive  and  compromise 
patient  care. 

We  do  have  concerns  with  several  Umitations  put  on  the  "statutory  authorization" 
which  are  discussed  later. 

Including  Important  Health  Management  Activities 

The  HLC  also  supports  the  inclusion  of  treatment,  payment  and  health  care  oper- 
ations in  the  activities  for  which  no  individual  authorization  is  needed.  We  are 
pleased  that  the  Department  recognized  the  importance  of  such  activities  as  case 
and  disease  management  to  patients  by  including  them  in  their  definitions.  Disease 
management  programs  for  chronic  diseases  such  as  asthma,  diabetes,  heart  disease, 
and  others  are  aramatically  improving  the  lives  of  millions  of  Americans.  We  do 
have  concerns  with  some  hmitations  on  these  programs  which  we  discuss  later. 

Other  Allowed  Uses  and  Disclosures 

The  HLC  supports  the  need  for  disclosure  to  public  health  authorities  and  is 
pleased  that  the  rule  allows  disclosure  to  someone  complying  with  such  an  author- 
ity. We  also  support  the  need  for  the  disclosure  to  health  oversight  agencies  to  im- 
prove 

health  care  quaUty  and  protecting  pubhc  health,  as  well  as  for  government  health 
data  systems. 

Research 

Finally,  the  HLC  supports  the  g:eneral  direction  of  the  research  provisions  of  the 
rule  to  the  extent  it  does  not  require  individusd  authorization  for  disclosure  of  data 
to  research  entities.  We  do  have  some  major  concerns  about  the  research  provisions 
will  be  discussed  later  in  our  testimony. 

Provisions  of  the  Proposed  Rule  of  Concern  to  HLC 

Regulating  Use  of  Information 

While  the  HLC  supports  the  need  for  the  rule  to  restrict  disclosure  of  patient  in- 
formation outside  of  appropriate  entities,  we  are  concerned  about  the  numerous  and 
burdensome  restrictions  on  the  uses  of  such  information,  particularly  uses  within 
a  covered  entity.  These  restrictions  on  use  of  information  create  several  problems. 

•  The  rule  prohibits  all  internal  uses  of  data  that  do  not  fall  in  to  a  relatively 
narrowly  defined  set  of  activities.  The  Department  is,  thereby,  taking  the  position 
that  it  can  define  all  conceivable  appropriate  uses  of  patient  information.  We  beUeve 
that  this  is  not  only  impossible  for  current  uses,  but  such  an  approach  would  have 
a  chilling  effect  on  the  development  of  beneficial  new  uses  of  patient  information. 

•  The  HLC  is  concerned  that  the  rule  will  unduly  limit  the  use  of  population  data 
that  is  used  to  support  patient  treatment  and  other  legitimate  activities.  This  is  be- 
cause the  allowable  uses  of  patient  information  are  closely  tied  to  the  provision  of 
health  care  to  an  individual  patient.  This  raises  a  question  as  to  whether,  for  exam- 
ple, a  health  plan  could  review  an  entire  enroUee  database  to  identify  specific  indi- 
vidusds  whose  utilization  patterns  of  asthma  drugs,  or  emergency  room  visits,  indi- 
cate they  would  benefit  from  being  enrolled  in  an  asthma  management  program. 

•  Again,  because  an  entity's  internal  uses  of  patient  information  are  so  sharply 
restricted  by  the  rule,  several  important  internal  business  operations  of  health  care 
providers  and  plans  could  be  left  out.  For  example,  a  national  health  plan  recently 
imdertook  a  stu^  to  evaluate  the  cost  effectiveness  of  its  preauthorization  require- 
ments. Audits  of  real  cases  containing  patient  information  were  necessary.  The 
audit  resulted  in  the  plan  dropping  some  preauthorization  requirements,  a  good  re- 
sult for  patients  and  the  plan. 

•  The  HLC  is  concerned  that  the  definitions  of  treatment,  payment,  and  health 
care  operations  may  be  diluted  by  the  rule's  approach  broadly  defined  as  "market- 
ing." If  a  use  or  disclosure  is  deemed  to  be  for  the  purpose  of  marketing — a  term 
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not  defined — an  individual  authorization  would  be  required.  This  determination 
could  be  made  on  a  retrospective  basis  and  could  be  apphed  to  certain  types  of  dis- 
ease management  programs,  and  also  the  use  of  formularies  by  health  plans,  and 
providers  (most  notably  hospitals).  For  instance,  a  candidate  for  an  asthma  disease 
management  program  may  receive  a  more  effective  drug  therapy  under  a  disease 
management  program.  There  is  the  risk  that  under  the  rules  such  activities  could 
be  viewed  as  marketing  activity.  To  the  extent  arrangements  fall  within  the  defini- 
tion of  treatment,  payment,  or  health  care  operations,  they  should  not  be  subject 
to  conflicting  rules  under  "marketing." 

The  HLC  recommends  that  the  rule  focus  on  restricting  disclosure  of  patient  infor- 
mation, not  use  (particularly  use  within  an  entity).  At  a  minimum,  internal  manage- 
ment functions  of  providers  and  plans  that  involve  only  the  use,  not  disclosure,  of 
patient  information  should  be  broadly  included  under  the  definition  of  health  care 
operations. 

Minimum  Necessary  Rule 

The  rule  requires  that  entities  "review  each  request  for  disclosure  individually  on 
its  own  merits  [fi-om  preamble]"  and  determine  which  information  is  minimally  nec- 
essary. It  is  neither  practical  nor  consistent  with  good  medical  practice  to  promote 
a  rule  that  would  encourage  and  possibly  require  excision  of  data  in  a  medical 
record.  The  recent  Institute  of  Medicine  report  underscores  the  potential  harm  to 
patients  when  providers  have  only  hmited  access  to  information.  The  HLC  suggests 
that,  alternatively,  entities  be  allowed  to  have  general  practices  and  guidelines  and 
not  be  required  to  make  individual  determinations. 

Unnecessary  Administrative  Burdens 

•  The  HLC  is  concerned  that  the  requirements  for  accounting  for  the  disclosure 
of  patient  information,  detailed  provisions  governing  the  practices  of  "business  part- 
ners" and  their  relationship  with  covered  entities,  and  the  training  and  certification 
requirements  will  greatly  increase  the  administrative  burden  borne  by  covered  enti- 
ties. 

•  The  Department  has  exceeded  the  scope  of  its  authority  under  HIPAA  in  sev- 
eral provisions,  most  notably  in  those  provisions  pertaining  to  the  "business  part- 
ner" of  a  covered  entity.  And,  it  is  outside  the  Secretary's  authority,  and  not  envi- 
sioned by  HIPAA,  to  provide  an  impHed  private  right  of  action. 

De-identifying  Data 

The  HLC  has  serious  concerns  that  the  standard  for  de-identifying  data  in  the 
rule  sets  the  bar  too  high.  Requiring  that  19  identifiers — including  even  "account 
numbers"  and  "zip  codes" — be  removed  to  de-identify  data  would  make  data 
anonymized  and  nearly  worthless  to  most  researchers.  The  practical  effect  of  this 
standard  will  be  to  discourage,  rather  than  encourage,  encryption  and  other  efforts 
to  de-identify  records.  The  HLC  recommends  that  these  "identifiers"  be  Hmited  to 
a  more  reasonable  Ust  of  characteristics  that  truly  identify  individuals. 

Research 

•  The  HLC  believes  that  modifications  to  the  Institutional  Review  Board  (IRB) 
process  should  be  addressed  separately  in  a  comprehensive  review  of  the  IRB  proc- 
ess and  not  via  this  rule.  Several  of  the  criteria  to  be  used  by  an  IRB  (or  "privacy 
board")  exceed  the  Department's  authority  by  regulating  the  content  of  research,  as 
opposed  to  overseeing  the  confidentiality  of  data  in  research. 

•  The  requirement  that  individual  authorization  be  obtained  to  use  data  in  "re- 
search unrelated  to  treatment"  is  unworkable  and  unnecessary. 

•  The  HLC  is  concerned  that  the  disclosure  or  use  of  data  may  be  subject  to  the 
"minimum  necessary"  requirements  mentioned  earher. 

National  Uniformity 

One  of  the  primary  reasons  HLC  supports  comprehensive  legislation  to  protect 
confidentiaHty  is  the  need  to  provide  a  nationally  uniform  standard.  The  confusing 
and  contradictory  patchwork  of  state  laws  is  an  ineffective  -and  sometimes  harm- 
ful— approach  to  regulating  a  highly  integrated  and  decidedly  interstate  health  care 
deUvery  system. 

An  illustration  of  why  state  confidentiality  laws  are  inappropriate  in  health  care 
is  included  imder  tab  two  of  my  testimony.  In  this  example,  a  college  student  living 
in  New  York  is  prescribed  a  medication  in  New  Jersey.  Before  the  transaction  is 
completed,  entities  in  seven  states  are  involved.  Which  state's  confidentiality  laws 
apply?  The  answer  is  "all  of  them!" 
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The  HLC  has  examined  all  of  the  state  confidentiality  laws  on  the  books,  and 
many  more  being  proposed,  and  concludes  that  a  nationally  \iniform  standard  would 
do  more  to  protect  the  confidentiahty  of  patients'  information  than  any  other  single 
reform.  Such  a  nationally  imiform  standard  would  provide  certainty  and  clarity  that 
would  at  once  protect  patients  and  not  unduly  burden  health  providers,  plans,  and 
others. 

Of  course,  under  HIPAA,  the  Department  does  not  have  authority  to  preempt 
state  laws  that  are  contr£iry  or  stricter  than  the  federal  rules.  Thus,  the  need  for 
comprehensive  legislation.  At  the  very  least  then,  the  HLC  beUeves  that  it  is  inctun- 
bent  upon  the  Department  to  evaluate  state  laws  and  provide  guidance  to  covered 
entities  regarding  which  state  standards  covered  entities  should  follow. 


TAB  1 


72 


TAB  2 


Chairman  Thomas.  Thank  you  very  much,  Ms.  Grealy.  Dr.  Ober? 
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STATEMENT  OF  N.  STEPHEN  OBER,  M.D.,  PRESIDENT  AND 
CHIEF  EXECUTIVE  OFFICER,  SYNERGY  HEALTH  CARE,  WAL- 
THAM,  MASSACHUSETTS 

Dr.  Ober.  Chairman  Thomas,  members  of  the  subcommittee, 
thank  you  for  the  opportunity  to  appear  before  you  today.  My  name 
is  Stephen  Ober.  I  am  a  physician  and  President  and  CEO  of  Syn- 
ergy Health  Care,  a  health  research  and  data  analytics  company 
headquartered  in  Waltham,  Massachusetts. 

Sjoiergy  is  a  subsidiary  of  Quintiles  Transnational  Corporation, 
the  largest  contract  research  organization  in  the  world  and  a  leader 
in  health  care  informatics  services.  As  a  subsidiary  of  Quintile, 
Synergy  is  an  affiliate  of  ENVOY,  the  largest  claims  clearinghouse 
in  the  United  States,  which  processes  an  average  of  3.5  million 
electronic  data  transactions  per  day,  providing  connectivity  be- 
tween 270,000  providers  and  800  payers.  I  have  been  part  of  a 
Quintiles  work  group  which  has  closely  analyzed  the  NPRM  in  re- 
lation to  its  impact  on  claims  clearinghouses  and  their  business 
partners. 

Let  me  begin  my  comments  by  stating  that  Synergy  and 
Quintiles,  in  general,  believe  that  the  proposed  NPRM  standard  to 
protect  the  privacy  of  individually  identifiable  health  information 
are  reasonable.  However,  I  would  like  to  offer  four  brief  comments. 

First,  clearinghouses  are  defined  as  covered  entities  by  the  rule. 
But  because  clearinghouses  are  also  business  partners  of  providers 
and  health  plans  and  do  not  have  direct  relationships  with  pa- 
tients, several  requirements  of  the  rule  appropriately  do  not  apply 
to  clesiringhouses,  such  as  providing  a  notice  of  information  prac- 
tices, and  offering  access  for  inspection  or  copying  of  records.  We 
applaud  this  sensible  approach  and  fully  support  the  concept  that 
clearinghouses  and  other  business  partners  would  not  be  permitted 
to  use  or  disclose  identifiable  health  data  in  ways  not  permitted  to 
the  covered  entity  to  which  such  information  was  initially  provided. 

We  are  concerned,  however,  by  the  provision  that  would  require 
a  covered  entity,  when  acting  as  a  business  partner  of  another  cov- 
ered entity — as  claims  clearinghouses  always  do — to  be  bound  by 
the  health  information  policies  and  procedures  of  its  partners. 
Thus,  the  health  care  clearinghouse  would  have  to  establish  its 
own  privacy  policies  and  procedures,  but  then  be  required  to  at- 
tempt to  adhere  to  the  privacy  policies  and  procedures  of  the  thou- 
sands— and  I  do  mean  thousands — of  other  covered  entities  for 
which  it  acts  as  a  business  partner. 

This  approach  would  needlessly  complicate  the  network  of  exist- 
ing relationships  and  be  practically  impossible  to  administer. 

Second,  the  NPRM  stipulates  that  covered  entities  must  have 
each  business  partner  sign  a  contract  which  details  the  uses  of 
identifiable  health  information  and  requires  its  protection.  Again, 
we  agree  with  this  principle.  However,  we  suggest  that  HHS 
should  adhere  to  its  stated  intention  of  promoting  de-identification 
of  individual  health  information  whenever  possible  by  clarif3ring 
that  business  partners  who  are  in  lawful  possession  of  identifiable 
health  information  may  create  de-identified  health  data  and,  in 
fact,  should  be  encouraged  to  do  so. 

Third,  in  the  NPRM,  the  Department  proposes  to  establish  a  safe 
harbor  for  the  creation  of  de-identified  health  information  if  cov- 
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ered  entities  eliminate  19  potential  individual  identifiers.  While  we 
agree  with  the  elimination  of  most  of  the  identifiers  mentioned, 
eliminating  others  would  negatively  impact  the  ability  to  use  these 
data  in  research  activity. 

For  example,  certain  geographic  identifiers  and  patient  date  of 
birth  are  two  of  the  most  important  demographic  data  elements  re- 
quired in  performing  most  health  care  research.  The  rule,  as  writ- 
ten today,  requires  elimination  or  modification  of  these  valuable 
elements. 

Finally,  one  of  the  most  exciting  potential  of  health  care  clearing- 
houses, and  the  one  I  am  personally  most  passionate  about,  lies  in 
the  capacity  to  create  de-identified  data  on  a  large  scale. 

In  the  NPRM,  HHS  comments  on  the  "many  instances  in  which 
such  individually  identifiable  health  information  is  stripped  of  the 
information  that  coiild  identify  individual  subjects  and  is  used  for 
analytical,  statistical,  and  other  related  purposes."  This  is,  in  fact, 
what  we  do  at  S3niergy. 

For  instance,  one  study  for  the  Centers  for  Disease  Control,  we 
showed  that  the  use  of  hepatitis  B  vaccine  by  physicians  decreased 
dramatically  following  several  reports  of  adverse  effects  of  this  im- 
munization, something  CDC  had  been  struggling  to  monitor  for 
several  months.  In  another,  we  were  able  to  illustrate  the  positive 
impact  of  an  education  program  aimed  at  increasing  appropriate 
physician  testing  and  treatment  of  the  bacteria  that  causes  peptic 
ulcer  disease,  a  curable  illness  today.  In  working  with  a  major  drug 
manufacturer  and  the  FDA,  S3nierg/s  timely  monitoring  of  a  pa- 
tient prescription  usage  patterns  lead  to  a  withdrawal  of  a  pre- 
viously used  drug. 

And  yes,  Mr.  Chairman,  we  have  also  done  work  looking  at  medi- 
cal errors.  These  are  just  a  few  examples  of  what  are  virtually  lim- 
itless uses  of  de-identified  health  care  information. 

While  we  are  most  supportive  of  the  NPRM  rule  as  a  covered  en- 
tity and  a  business  partner,  we  at  S3niergy  and  Quintiles  want  to 
be  certain  that  all  parties  reaUze  the  impact  of  these  regulations, 
if  not  carefully  derived,  could  have  on  the  status  of  health  care  re- 
search. 

On  behalf  of  Synergy  Health  Care  and  Quintiles  Transnational, 
thank  you  for  the  opportunity  to  appear  before  you  today. 
[The  prepared  statement  follows:] 

Statement  of  N.  Stephen  Ober,  M.D.,  President  and  Chief  Executive  Officer, 
Synergy  Health  Care,  Waltham,  Massachusetts 

Chairman  Thomas,  Members  of  the  Subcoimnittee:  Thank  you  for  the  opportunity 
to  appear  before  you  today  to  discuss  provisions  of  the  proposed  regulation  relating 
to  the  operations  of  health  care  clearinghouses,  the  creation  and  use  of  de-identified 
health  information,  and  the  preemption  of  state  laws. 

My  name  is  Stephen  Ober.  I  am  a  physician  and  President  and  CEO  of  S3mergy 
Health  Care,  a  health  research  and  data  analytics  company  headquartered  in  WS- 
tham,  Massachusetts.  Synergy  is  a  subsidiary  of  Quintiles  Transnational  Corpora- 
tion, the  largest  contract  research  organization  (CRO)  in  the  world  and  a  leader  in 
healthcare  informatics  services.  As  a  subsidiary  of  Quintiles,  Synergy  is  an  affiliate 
of  ENVOY,  the  largest  claims  clearinghouse  in  the  United  States,  which  processes 
an  average  of  3.5  million  electronic  data  transactions  per  day,  providing  connectivity 
between  270,000  providers  and  800  payers.  Some  of  you  may  have  read  of  the  pend- 
ing purchase  of  ENVOY  from  Quintiles  by  Healtheon/WebMD.  As  part  of  this  trans- 
action. Synergy  will  continue  to  receive  de-identified  data  from  ENVOY,  maintain- 
ing our  historic  ties.  The  matters  before  this  Subcommittee  regarding  data  privacy 
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and  medical  research  have  been  of  constant  interest  to  our  family  of  companies.  I 
have  been  part  of  a  Quintiles  workgroup,  which  has  closely  analyzed  these  matters, 
including  tne  NPRM  and  its  relation  to  the  impact  on  claims  clearinghouses  and 
their  business  partners,  and  I  am  happy  to  speak  t-o  you  on  this  topic  today. 

Health  Care  Clearinghouses 

As  you  know,  one  of  the  objectives  of  the  Health  Insurance  Portability  and  Ac- 
countabihty  Act  (HIPAA)  was  to  improve  the  efficiency  and  effectiveness  of  the 
health  care  system,  "by  encouraging  the  development  of  a  health  information  system 
through  the  establishment  of  standards  and  requirements  for  the  electronic  trans- 
mission of  certain  health  information."  One  reason  why  HIPAA  was  so  crucial  is 
demonstrated  by  the  rapid  growth  in  the  electronic  transfer  of  health  information: 
today  Q2%  of  all  healthcare  claims  are  processed  electronically,  and  for  hospital  and 
pharmacy  claims  the  percentage  is  over  80%.  In  1998  some  2.7  biUion  out  of  a  total 
of  4.4  billion  claims  were  processed  electronically,  an  important  factor  in  ongoing  ef- 
forts to  improve  the  efficiency  of  our  health  care  system  and  reduce  health  care 
costs. 

In  a  section  on  "administrative  simphfication,"  HIPAA  directed  HHS  to  adopt  a 
series  of  standards  that  would  encourage  uniformity  for  a  range  of  electronic  health 
information  transactions.  The  proposed  st-andards  for  the  privacy  of  indi\d dually 
identifiable  health  information  that  is  maintained  or  transmitted  electronically  were 
also  mandated  by  HIPAA  in  the  absence  of  the  passage  of  comprehensive  medical 
records  privacy  legislation  by  Congress.  The  NPKM  proposes  standards  to  protect 
the  privacy  of  indi\'idually  identifiable  health  information,  outlines  the  rights  of  in- 
dividuals who  are  the  subject  of  this  information,  and  defines  the  authorized  and 
permitted  uses  of  identifiable  health  information.  In  general.  Synergy  and  Quintiles 
beheve  that  the  proposed  rule  estabhshes  reasonable  standards  for  security  and  effi- 
ciency of  the  health  information  infrastructure.  We  applaud  HHS's  eff"orts  to  encour- 
age the  de-identification  of  health  care  data  for  medical  research. 

The  "covered  entities"  defined  by  HIPAA  include  health  plans,  health  care  provid- 
ers that  transmit  health  data  electronically,  and  health  care  clearinghouses.  Al- 
though clearinghouses  are  indeed  covered  entities,  the  proposed  rule  recognizes  that 
they  are  also  "business  partners"  of  the  health  care  providers  or  health  plans  for 
whom  they  are  processing  the  fuU  range  of  administrative  transactions  and  provid- 
ing connectivity.  Because  claims  clearinghouses  do  not  have  any  relationship  with 
individual  patients,  the  NPRM  appropriately  does  not  apply  several  requirements 
that  must  be  followed  by  health  plans  and  providers.  These  include,  providing  a  no- 
tice of  information  practices,  offering  access  for  inspection  or  copjdng  of  records,  and 
accommodating  requests  for  amendment  or  correction. 

We  endorse  this  sensible  approach,  and  support  the  concept  that  clearinghouses 
and  other  business  partners  would  not  be  permitted  to  use  or  disclose  identifiable 
health  data  in  ways  not  permitted  to  the  covered  entity  to  which  such  information 
was  initially  provided.  We  are  concerned,  however,  by  the  provision  that  would  re- 
quire a  covered  entity,  when  acting  as  a  business  partner  of  another  covered  entity 
(as  claims  clearinghouses  always  do),  to  be  bound  by  the  health  information  pohcies 
and  procedures  of  its  partners.  Thus,  a  health  care  clearinghouse  v/ould  have  to  es- 
tabhsh  its  own  privacy  pohcies  and  procedures,  which  is  entirely  sensible,  but  then 
be  required  to  attempt  to  adhere  to  the  privacy  pohcies  and  procedures  of  the  thou- 
sands of  other  covered  entities  for  which  it  acts  as  a  business  partner.  Obviously, 
this  approach  would  needlessly  comphcate  the  network  of  existing  relationships  by 
which  health  care  is  dehvered  and  paid  for  today,  and  potentially  thwarts  the  ad- 
ministrative "simplification"  HIPAA  meant  to  foster.  In  our  written  comment,  we 
have  requested  that  HHS  clarify  this  provision,  as  it  appears  redundant  and  more 
likely  to  produce  confusion  than  improved  protection  of  identifiable  health  informa- 
tion. 

Creation  and  Use  of  De-Identified  Health  Information 

The  NTRM  stipulates  that  covered  entities  must  have  each  business  partner  sign 
a  contract  which  details  the  uses  of  identifiable  health  information  and  requires  its 
protection.  Again,  we  agree  with  the  principles  that  the  use  of  identifiable  health 
information  by  a  business  partner  can  be  limited  by  contract  and  that  business  part- 
ners are  not  permitted  uses  or  disclosures  not  allowed  to  the  covered  entity.  How- 
ever, we  suggest  that  HHS  should  adhere  to  its  stated  intention  to  encourage  de- 
identification  of  individual  health  information  whenever  possible  by  clarifying  that 
business  partners  who  are  in  lawful  possession  of  identifiable  health  information 
may  create  de-identified  health  data  and,  in  fact,  are  encoiiraged  to  do  so. 

In  the  preamble  to  the  proposed  rule,  HHS  suggests  that  covered  entities  and 
business  partners  would  be  encouraged  to  create  de-identified  health  data  and 
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"would  be  permitted  to  further  use  and  disclose  such  de-identified  information  in 
any  way,  provided  that  they  do  not  disclose  the  key  or  other  mechanism  that  would 
enable  the  information  to  be  re-identified,  and  provided  that  they  reasonably  believe 
that  such  use  or  disclosure  of  de-identified  information  will  not  result  in  the  use  or 
disclosure  of  protected  health  information." 

One  of  the  most  exciting  potentials  of  health  care  clearinghouses  hes  in  the  capac- 
ity to  create  de-identified  data  on  a  large  scale.  Certainly,  using  de-identified  data 
for  health  research  affords  the  greatest  security  for  patient  privacy,  and  the  Depart- 
ment hopes  that  de-identified  data  would  always  be  used  when  it  is  sufficient  for 
a  given  research  purpose.  In  the  NPRM,  HHS  comments  on  the  "many  instances 
in  which  such  individually  identifiable  health  information  is  stripped  of  the  informa- 
tion that  could  identify  individual  subjects  and  is  used  for  analytical,  statistical  and 
other  related  purposes"  such  as  epidemiological  studies,  comparisons  of  cost,  quality 
or  specific  outcomes  across  providers  or  payers,  studies  of  incidence  or  prevalence 
of  disease  across  populations,  areas  or  time,  and  studies  of  access  to  care  or  differing 
use  patterns  across  populations,  areas  or  time."  In  regard  to  the  activities  of  claims 
clearinghouses,  the  NPRM  suggests  that  such  covered  entities  "could  want  to  use 
codes  or  identifiers  to  permit  data  attributable  to  the  same  person  to  be  accumu- 
lated over  time  or  across  different  sources  of  data"  and,  further,  that  a  "business 

Eartner  generally  could  create  a  database  of  de-identified  health  information  drawn 
'om  the  protected  health  information  of  more  than  one  covered  entity  with  which 
it  does  business,  and  could  use  and  disclose  information  and  analyses  from  the  data- 
base as  they  see  fit,  as  long  as  there  was  no  attempt  to  re-identify  the  data  to  create 
protected  health  information." 

At  Synergy  we  use  de-identified,  aggregated  health  information  to  provide  real- 
time data  analysis  to  improve  pharmaceutical  and  medical  service  outcomes.  For  in- 
stance, in  one  study  for  the  Centers  for  Disease  Control  (CDC),  we  showed  that  use 
of  the  Hepatitis  B  vaccine  by  physicians  decreased  following  several  reports  of  ad- 
verse effects  of  this  immimization — something  CDC  had  been  struggling  to  monitor. 
In  another,  we  were  able  to  illustrate  the  positive  impact  of  an  education  program 
aimed  at  increasing  appropriate  physician  testing  and  treatment  of  the  bacteria  that 
causes  peptic  ulcer  disease.  In  working  with  a  major  drug  manufacturer  and  the 
FDA,  Synerg/s  timely  monitoring  of  patient  prescription  usage  patterns  led  to  the 
withdrawal  of  a  previously  approved  drug.  These  are  only  three  examples  of  what 
are  virtually  limitless  uses  of  de-identified  health  information. 

In  the  NPRM,  the  Department  proposes  to  establish  a  "safe  harbor"  for  the  cre- 
ation of  de-identified  health  information  by  stipulating  that  "[a]  covered  entity  may 
use  protected  health  information  to  create  de-identified  information  by  removing, 
coding,  encr3rpting,  or  otherwise  eliminating  or  concealing"  nineteen  potential  identi- 
fiers. Thus,  regardless  of  a  large  or  small  population  size,  anyone  removing  all  of 
these  nineteen  identifiers  to  create  de-identified  information  could  safely  conclude 
that  the  information  is  not  identifiable.  As  we  have  posed  in  our  comments  to  the 
NPRM,  the  problem  is  that  the  anonymized  data  produced  by  this  "safe  harbor" 
method  and  the  resulting  aggregated  database  has  little  value  for  research  pur- 
poses. 

For  example,  the  Ust  of  nineteen  identifiers  includes  information  such  as  "city, 
county,  zip  code,  and  equivalent  geocodes."  However,  in  order  for  de-identified  data 
to  be  useful  as  health  research,  researchers  must  have  a  means  to  track  information 
demographically.  By  excluding  all  means  of  demographic  analysis,  i.e.,  city,  county, 
zip  code  and  equivalent  geocodes,  the  value  of  such  health  research  would  be  dimin- 
ished greatly.  In  our  written  comment  we  recommend  that  to  maintain  demographic 
value  of  the  de-identified  data,  some  geographic  locators  should  be  excluded  from 
the  list  of  nineteen  identifiers.  We  are  aware  that  there  is  a  higher  probability  of 
identifying  an  individual  if  a  nine-digit  zip  code  is  included  as  an  identifier.  By  re- 
taining city,  county  and  five-digit  zip  code  in  the  de-identified  data,  however,  the 
probability  of  identifying  an  individual  would  be  reasonably  low. 

Similarly,  HHS  includes  "[bjirth  date"  in  the  list  of  identifiers  that  must  be  re- 
moved or  concealed  to  qualify  for  the  de-identification  safe  harbor,  but  would  allow 
age  to  be  retained.  However,  the  actual  date  of  birth  is  of  critical  value  for  research 
purposes.  For  example,  without  date  of  birth  it  would  be  impossible  to  perform  re- 
search on  neonatal  and  pediatric  populations.  In  these  age  groups  differences  in 
health  status  are  measured  in  weeks  and  months,  not  years.  Access  to  date  of  birth 
also  avoids  any  of  the  ambiguities  in  assigning  patients  to  age  cohorts  that  can  mire 
research  efforts  and  produce  erroneous  results.  For  example,  it  may  be  unclear 
when  a  patient  labeled  as  "35  years  old"  was  actually  that  age — was  it  when  they 
joined  their  health  plan,  saw  their  physician,  or  submitted  their  medical  claim.  Ac- 
cordingly, retaining  the  date  of  birth  or,  at  least,  month  and  year  of  birth  would 
be  critical  to  research  and  produce  higher  quality  results. 
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In  the  NPRM,  HHS  proposes  an  alternative  method  for  the  creation  of  de-identi- 
fied data,  that  is,  "entities  with  appropriate  statistical  experience  and  expertise  may 
treat  information  as  de-identified"  even  if  it  contains  one  or  more  of  the  nineteen 
"identifiers."  We  appreciate  that  HHS  has  provided  concrete  guidance  regarding  de- 
identification  for  entities  that  need  it,  but  allows  a  sophisticated  entity,  using  a 
standard  of  "reasonableness,"  to  make  a  determination  whether  sufficient  informa- 
tion has  been  removed  so  that  "the  result  is  still  a  low  probabiHty  of  identification." 
Nevertheless,  even  sophisticated  users  could  decide  to  utilize  a  reasonable  "safe  har- 
bor" that  estabhshed  a  presumption  of  de-identification.  Such  a  universal  safe  har- 
bor would  allow  a  firamework  that  would  serve  as  a  benchmark  for  all,  promoting 
uniformity  in  the  health  care  industry  and  providing  greater  comfort  to  individuals 
with  respect  to  their  privacy. 

While  I  have  focused  on  the  potential  impact  of  the  proposed  rule  on  health  care 
clearinghouses,  and  the  creation  and  use  of  de-identified  data,  I  must  comment 
briefly  on  the  preemption  of  state  laws.  The  proposed  rule  would  estabUsh  a  floor 
and  preempt  only  those  state  laws  that  provide  'less  stringent"  privacy  protection. 
However,  allowing  states  to  create  more  stringent  standards  governing  particular 
kinds  of  information  or  certain  entities  will  create  a  confusing  and  ineffectual  array 
of  requirements.  The  proposed  rule  provides  a  logical  and  reasonable  federal  stand- 
ard for  "authorized"  uses,  but  without  preemption  of  state  laws  there  can  be  no  uni- 
formity of  protections  or  consistent  guidance  concerning  the  handling  of  identifiable 
health  information  for  health  plans,  providers,  researchers  or,  most  importantly,  pa- 
tients. 

On  behalf  of  Synergy  Health  Care  and  Quintiles  Transnational,  thank  you  for  the 
opportunity  to  appear  before  you  today.  I  will  be  happy  to  answer  any  questions. 


Chairman  Thomas.  Thank  you  very  much  for  your  testimony, 
Doctor,  and  I  do  thank  all  of  you  for  the  far  more  extensive  written 
testimony.  My  assumption  that  your  submission  to  HCFA  is  also 
far  more  extensive. 

Dr.  Plested,  your  position  is  one  which  I  think  is  fairly  recogniz- 
able in  terms  of  physicians,  the  desire  to  protect  that  relationship 
between  the  doctor  and  the  patient.  Does  the  AMA  or,  if  they  do 
not  have  a  position  do  you  as  a  practicing  physician,  have  any  con- 
cern about  the  fact  that  the  access  to  data,  even  if  we  were  to  re- 
strict it  to  just  the  physician  and  the  patient,  is  a  two-way  street 
\mder  this  structure?  That  is,  patients  have  the  right  to  look  at 
data  Eind,  in  certain  instances,  "correct"  the  data? 

Does  that  concern  you  all  about  whether  or  not  the  integrity  of 
the  medical  record  could  be  compromised,  by  the  patient's  ability 
to  make  changes? 

Dr.  Plested.  There  is  no  question  that  in  certain  instances  that 
is  true,  Mr.  Chairman.  I  am  sure  Dr.  McDermott  can  tell  you,  from 
the  point  of  view  of  a  psychiatrist,  that  there  are  times  when  it  is 
not  in  the  best  interest  of  a  patient  that  he  continually  review  the 
chart  and  the  notes  that  are  made  about  him.  We  feel  that  it  is  im- 
portant that  the  patient  be  a  part  of  the  treatment  and  we  have 
suggested  repeatedly  that  excerpts  or  that  summaries  should  be 
prepaired  for  all  patients.  Whether  or  not  every  patient  should  look 
at  everything  that  is  written,  we  are  afraid,  will  lead  to  a  practice 
of  omitting  sensitive  material  from  records  that  physicians  keep. 

Chairman  Thomas.  One  of  the  reasons  it  is  really  hard  to  get 
this  done  is  that  it  goes  to  the  heart  of  who  we  are  and  how  we 
operate.  Whenever  you  deal  with  individual  rights  versus  pubHc 
rights,  in  trying  to  get  that  proper  balance,  especially  in  toda)^s  in- 
formation rich  world,  it  is  very  difficult.  Look  at  the  Bill  of  Rights. 
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It  starts  out  Congress  shall  make  no  law,  and  then  away  we  go 
over  the  centuries,  making  laws.  So  it  is  a  very  difficult  thing. 

Doctor,  in  trjdng  to  reconcile  this  individual  versus  the  public 
rights  relationship,  do  you  believe  that  it  is  appropriate  for  us  to 
collect  the  data,  notwithstanding  the  very  strong  statement  you 
have  made,  to  attempt  to  get  at  the  heart  of  the  accidental  deaths, 
upwards  of  100,000,  that  the  Institute  of  Medicine's  To  Error  is 
Human  Report  indicates?  That  is,  use  this  data  for  the  public  good, 
attempting  to  collect  it  in  a  way  to  examine  practice  procedures 
which  might  be  collected  in  a  systemic  way  to  reduce  medical  er- 
rors? 

Is  that  a  public  good  that  you  place  fairly  highly  or  low? 

Dr.  Plested.  Well,  there  is  no  question  that  the  AMA  is  strongly 
on  record  that  this  is  an  absolute  public  need  and  a  public  good, 
and  that  is  why  we  established  the  National  Patient  Safety  Foun- 
dation, who  I  am  sure  you  are  quite  familiar  with.  The  question  is 
how  much  sensitive,  personally  identified  data  is  necessary  for  this 
type  of  activity  to  be  carried  out?  I  think  that  is  debatable.  There 
would  be  those  who  say  that  they  must  have  access  to  all. 

Clearly  that  is  not  the  case.  We  can  do  this  tj^e  of  a  job  that 
must  be  done  and  we  support  being  done  without  having  free  ac- 
cess to  everjrthing  in  a  patient's  medical  record. 

Chairman  Thomas.  Of  course,  if  the  choice  is  all  or  nothing,  we 
would  not  be  here  and  we  would  all  be  home  already. 

Ms.  Fox,  you  heard  the  testimony  of  HCFA,  that  they  felt  fairly 
comfortable  about  their  $3.8  billion  cost  over  five  years.  You  have 
indicated  that  it  is  somewhere  near  $40  billion. 

It  is  very  disconcerting  when  you  get  those  kinds  of  ranges.  My 
assumption  is  that  the  lower  the  amount,  I  would  put  to  you,  the 
stronger  you  or  Ms.  Grealy  or  others  would  feel  about  the  number 
being  accurate.  For  example,  if  I  said  let  us  just  cut  it  in  half,  and 
you  go  from  $40  billion  to  $20  billion,  and  let  us  take  their  number 
and  double  it  from  $3.8  billion  to  $7  billion,  that  is  still  a  pretty 
wide  range,  in  terms  of  what  the  costs  are  going  to  be  rippling 
through  the  system. 

I  think  that  is  your  concern.  Did  you  submit  information  which 
might  assist  HCFA  in  looking  at  the  final  reg,  getting  a  better  un- 
derstanding of  what  your  concerns  were  about  where  the  cost  cen- 
ters might  be  that  they  had  not  appropriately  looked  at? 

Ms.  Fox.  Yes,  we  did,  Mr.  Chairman.  I  think  one  aspect  is  in 
their  preamble  to  their  proposed  rule,  they  stated  that  there  were 
a  number  of  the  areas  they  just  did  not  have  data  to  base  the  esti- 
mate. Three  of  the  10  areas  they  mentioned  were  areas  that  we 
thought  were  particularly  expensive  that  we  did  very  detailed  esti- 
mates. We  have  met  with  them.  We  have  submitted  all  of  our  ma- 
terials, the  backup  materials.  We  have  also  met  with  the  General 
Accounting  Office,  the  Congressional  Budget  Office,  and  others,  be- 
cause we  thought  it  would  be  really  helpful  for  everybody  to  really 
take  a  look  at  some  of  these  assumptions. 

I  will  just  give  you  one  example  of  where  they  did  make  an  esti- 
mate where  our  estimates  are  very  different,  just  to  give  you  a 
sense  of  perspective.  The  regulation  requires  everybody  to  train 
their  employees  about  these  new  privacy  rules.  We  estimated,  we 
assumed  that  employees  would  spend  one  to  two  hours  over  the 
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five  year  period  learning  about  privacy  rules.  We  do  not  know  what 
their  hourly  estimates  were,  but  I  can  tell  you  for  health  plan  their 
preamble  says  an  entire  health  plan  would  spend  $100  training 
their  employees. 

I  can  tell  you,  as  an  employee  of  Blue  Cross  Blue  Shield  Associa- 
tion, on  virtually  any  issue  we  get  training  on,  we  spend  an  entire 
day  and  it  is  a  mandatory  training.  I  do  not  know  that  we  would 
do  that  on  this,  but  $100  a  health  plan  is  just  way  underestimating 
the  cost  of  training  your  employees. 

Chairman  Thomas.  Especially  if  you  get  caught  in  the  web,  it 
could  be  $250,000.  The  $100  would  not  have  been  well  spent.  What 
usually  occurs  in  those  instances  is  the  dollar  amount  goes  up  in 
relation  to  the  potential  downside.  I  agree  with  you,  $100  sounds 
a  little  short,  especially  with  what  $100  can  buy  today. 

Ms.  Goldman,  how  many  pages  of  information  did  you  submit  to 
HCFA? 

Ms.  GrOLDMAN.  We  submitted  nearly  120  pages  of  comments. 

Chairman  Thomas.  And  yet  your  testimony  indicated  you  were 
pretty  supportive  of  the  direction  that  they  were  going,  yet  you 
found  120  pages  worth  of  areas  worthy  of  commenting  on? 

Ms.  GrOLDMAN.  Not  to  be  accused  of  being  verbose,  we  were  mind- 
ful of  the  request  the  Secretary  made  when  she  issued  the  draft, 
that  we  should  comment  both  on  the  things  that  we  thought  should 
be  strengthened,  and  on  the  provisions  we  thought  should  be  main- 
tained. 

In  addition,  we  had  a  number  of  groups  sign  on  to  our  comments. 
And  so  each  section  of  the  regulation  that  we  comment  on  also  has 
the  sign  on  of  the  supportive  groups.  So  not  every  piece  of  paper 
is  taken  up  with  substantive  comments,  but  there  are  about  120 
pages. 

Chairman  Thomas.  Good,  because  I  know  that  you  were  instru- 
mental in  producing  for  the  this  Health  Privacy  Project,  the  Best 
Principles  for  Health  Privacy.  I  just  have  to  tell  you  that  I  was  a 
little  concerned,  as  this  group  pulled  together,  that  given  the  cross- 
section  of  individuals  involved,  which  again  was  a  very  representa- 
tive sample,  and  the  ability  to — I  am  sure  there  were  differences — 
to  resolve  them  and  present  specific  examples  for  principles.  One 
has  been  very  helpful  to  me  and  I  know,  too,  the  gentleman  from 
Maryland,  in  our  looking  at  what  we  are  doing,  so  I  was  interested. 

You  made  a  comment  and  I  want  people  to  imderstand  it,  be- 
cause you  said  in  the  area  of  law  enforcement  it  fell  short.  What 
you  meant  by  saying  that  it  fell  short  was  that  there  were  not 
enough  individual  protections,  vis-a-vis  the  ability  of  Government 
to  get  at  data  for  what  may  or  may  not  be  worthwhile  reasons. 
That  is  what  you  meant  by  falling  short? 

Ms.  Goldman.  Exactly. 

Chairman  Thomas.  Because  if  somebody  heard  it  and  said  you 
thought  law  enforcement  fell  short  they  might,  if  they  did  not  know 
you,  think  it  was  the  other  way. 

Ms.  Goldman.  We  hope,  and  we  have  not  looked  obviously  at  all 
of  the  comments  that  have  been  submitted  as  of  today,  all  of  the 
40,000,  but  our  hope,  based  on  everything  we  have  heard  in  the 
last  few  years,  after  the  Secretary  issued  her  recommendations,  is 
that  every  single  group,  the  consumer  groups,  disability  rights 
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groups,  the  health  plans,  providers,  researchers,  all  think  that  law 
enforcement  should  be  required  to  present  some  kind  of  legal  proc- 
ess that  is  issued  by  a  neutral  magistrate  and  has  a  strong  stand- 
ard in  it. 

I  realize  internally,  within  the  administration,  there  is  a  debate 
over  how  that  should  be  handled.  We  are  hoping  that  they  come 
down  on  the  right  side  and  strengthen  that  section. 

Chairman  Thomas.  But  on  a  continuum,  would  you  say  that  it 
is  fair  that,  in  comparison  to  the  Secretary's  first  attempt  in  deal- 
ing with  the  records  and  law  enforcement,  that  this  most  recent  at- 
tempt is  an  improvement?  Have  you  seen  movement,  significant 
movement,  modest  movement,  not  enough  to  really  count? 

Ms.  Goldman.  Her  initial  recommendation  said  we  should  main- 
tain the  status  quo,  which  is  essentially  unfettered  access  by  law 
enforcement  to  people's  medical  records.  So  in  a  few  years  they 
have  moved  from  that  to  saying  here  are  three  options  that  law  en- 
forcement can  choose  from  that  the  covered  entities  can  acknowl- 
edge, three  options. 

Our  concern  is  there  is  no  guidance  in  the  proposal  as  to  when 
law  enforcement  should  choose  which  option.  So  if  information  is 
highly  sensitive  and  there  is  a  serious  risk  of  abuse,  they  could  get 
an  investigative  demand  that  issues  internally  and  that  is  just  as 
sufficient  as  getting  a  warrant  or  a  subpoena. 

So  in  some  ways,  it  appears  to  be  an  improvement,  but  I  think 
that  it  is  a  little  misleading. 

Chairman  Thomas.  It  may  be  the  appearance,  rather  than  ac- 
tual. 

Ms.  Goldman.  Exactly. 

Chairman  Thomas.  Dr.  Ober,  your  background  and  your  busi- 
ness is  an  interesting  one.  Your  description  of  it  and  the  terminol- 
ogy you  use  is  more  and  more  becoming  commonplace,  about  these 
companies  that  do  not  make  widgets  but  provide  very  significant 
services  to  the  society.  There  was  an  old  ditty  about  big  bugs  have 
bigger  bugs  that  jump  on  them  and  bite  them,  and  bigger  bugs 
have  bigger  bugs  and  so  on,  ad  infinitum. 

This  business  of  having  entities  that  you  articulated  very  clearly, 
nevertheless  creates  this  kind  of  rotational  aspect.  Did  you  submit 
information  to  HCFA  to  assist  in  perhaps  breaking  that — if  it  is  not 
a  catch-22,  it  certainly  is  a  big  bugs  have  bigger  bugs  cycle? 

Dr.  Ober.  Yes,  we  did  our  best. 

Chairman  Thomas.  Given  the  way  you  deal  with  information,  are 
there  ways  to — 

Dr.  Ober.  Sir,  I  think  in  what  we  submitted  we  tried  to  be  quite 
clear  in  the  mjrriad  of  business  partners  that  we  have  and  who 
Synergy  is  and  what  Synergys  mission  is,  as  distinct  from  the 
claims  clearinghouse  partners  that  we  have  that  submit  the  de- 
identified  data  directly  to  us. 

Chairman  Thomas.  I  am  very  interested  in  this  business  of  de- 
identified  data,  notwithstanding  the  identifier,  since  especially  in 
dealing  with  electronics  you  can  flag  and  do  a  number  of  things 
that  allows  you  to  deal  with  de-identification,  but  if  something 
comes  up  you  can  go  back  and  look  up  a  critical  or  health  care  na- 
ture. 
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But  most  importantly,  the  absolute  desperate  need  for  broad- 
based  data  for  outcomes  research  and  for  medical  errors  correction. 
We  simply  would  not  be  able  to  make  significant  progress  in  those 
two  areas.  One,  cost  saving  is  very  important.  And  the  other,  life- 
saving  is  very  important  and  we  appreciate  the  data  that  you  have 
and  I  may  want  to  tap  into  it. 

The  gentleman  from  Washington? 

Mr.  McDermott.  Thank  you,  Mr.  Chairman. 

I  would  say  that,  having  done  this  for  a  few  years,  I  recognize 
the  technique  of  burying  people  in  paper  and  giving  inflated  esti- 
mates and  doing  a  lot  of  things  to  create  confusion,  which  stops 
things.  I  looked  at  that  cost  estimate  that  you  put  out  and  I  do  not 
want  to  spend  my  five  minutes  going  through  all  of  it,  except  to  say 
that  one  of  the  things  that  was  assumed  by  your  contractor,  Ms. 
Fox,  was  that  there  would  be  rules  requiring  new  authorizations 
from  current  subscribers  to  use  their  data  for  treatment,  payment 
of  claims,  or  other  health  care  plan  options.  And  they  estimated  it 
for  you  at  about  $2  billion. 

Now  the  fact  is  that  the  proposal  does  not  require  providers  or 
health  plans  to  obtain  patient  authorization  to  use  data  for  treat- 
ment, payment,  or  health  care  operations.  So  they  created  a  burden 
and  put  a  $2  billion  tag  on  it.  That  is  just  one.  There  are  a  whole 
series. 

I  think  that  if  we  are  going  to  make  the  decisions  here  on  the 
basis  of  what  privacy  is  worth,  then  we  ought  to  be  real  careful 
about  how  we  estimate  what  it  is  going  to  cost.  Because  maybe  we 
say  to  the  American  people  we  do  not  care  about  your  privacy  be- 
cause it  is  going  to  cost  too  much.  If  that  is  the  way  we  make  the 
decision  here,  we  will  have  a  serious  problem. 

I  do  not  think  the  Chairman  or  I,  or  anybody  else,  and  I  think 
when  you  get  these  kind  of  estimates  where  clearly  there  are  other 
things  in  here  that  I  can  go  through,  you  have  to  be  careful  about 
using  that  because  I  think  you  create  a  problem  for  yourself. 

Dr.  Ober,  let  me  ask  you  a  couple  of  questions,  because  I  have 
a  diagram  about  how  your  company  operates.  I  was  trying  to  figure 
out  what  kind  of  health  information  do  you  get  and  from  whom  do 
you  get  it? 

Dr.  Ober.  Currently,  our  stream  of  health  care  information  is 
electronic,  de-identified  and  encrypted  data  from  ENVOY  Corpora- 
tion, which  is  as  I  mentioned  earlier  the  country's  largest  claims 
clearinghouse.  It  is,  from  Synergy's  standpoint,  a  single  source,  as 
a  go-between  between  the  providers  of  health  care  and  the  payers 
of  health  care,  ENVOY  has  set  up,  over  years  and  years,  very 
standard  formats  in  encryption  technology,  such  that  Synergy  is 
the  daily  recipient  of  those  data  streams. 

Mr.  McDermott.  It  is  not  individually  identified? 

Dr.  Ober.  No,  sir. 

Mr.  McDermott.  It  is  all  de-identified? 

Dr.  Ober.  It  is  de-identified  and  encrypted;  that  is  correct.  At 
Synergy's  end  we  "use"  the  pharmacy  data  and  the  medical  data 
to  do  our  work. 

Mr.  McDermott.  But  you  use  that  data,  it  comes  over  the  Inter- 
net? 
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Dr.  Ober.  No,  sir,  it  comes  through  a  direct  T— 1  hookup  between 
Nashville  and  Boston,  Massachusetts. 
Mr.  McDermott.  You  have  one  line  that  goes  all  the  way? 
Dr.  Ober.  Yes,  sir. 

Mr.  McDermott.  And  nobody  can  break  into  that? 

Dr.  Ober.  No,  sir,  it  is  a  dedicated,  dial-up  line,  security. 

Mr.  McDermott.  As  we  have  watched  recently,  there  have  been 
some  privacy  breaches  in  health-related  websites.  You  are  saying, 
in  public  and  on  the  record,  that  there  is  no  way  anybody  can 
break  into  your  system? 

Dr.  Ober.  I  would  not  be  that  naive,  to  say  that  there  is  no  way 
someone  could,  sir.  I  think  there  is  probably  three  or  four  levels, 
when  you  think  about  what  we  mean  by  security  in  the  technology 
age  today.  And  there  is  a  major  difference  between  Internet  tech- 
nology, as  we  know  it  in  common  parlance,  and  also  the  dial-up  di- 
rect networks  that  we  have  set  up  with  ENVOY.  So  that  the  mul- 
tiple levels  of  security  that  we  have,  and  certainly  the  fact  that  it 
is  not  Internet  right  now,  and  that  it  is  a  direct  dial-up,  which  of- 
fers one  level  of  security. 

Secondly,  if  someone  were  to  get  into  our  "network"  as  does  hap- 
pen every  now  and  then,  there  are  no  less  than  three  levels  of  fire- 
wall and  security  checks,  passwords  and  double  passwords  and 
changing  passwords,  that  one  would  need  to  crack  that. 

But  then  we  are  also  offered  a  third  level,  which  I  think  is  quite 
valuable  to  the  business  we  are  in.  And  that  is,  if  somebody  were, 
God  forbid,  to  get  into  our  claims  level  database,  it  would  almost 
be  nonsensical  because  it  is  still  encrypted.  Certainly,  it  is  already 
de-identified.  But  on  top  of  that,  most  of  the  data  we  have  in  our 
warehouse,  in  our  database,  is  alpha-numeric  codes  that  to  a 
layperson  would  mean  nothing,  such  as  an  11-digit  for  a  particular 
pharmaceutical.  They  would  have  to  know  that  digit  means  a  par- 
ticular drug. 

Not  infallible  but  certainly,  we  think,  offers  quite  a  bit  of  protec- 
tion. 

Mr.  McDermott.  When  your  company  sells  ENVOY  to  WebMD, 
as  they  are  in  the  process,  what  are  they  selling  to  WebMD? 

Dr.  Ober.  The  assets  of  the  transaction  business. 

Mr.  McDermott.  What  are  you  giving  them? 

Dr.  Ober.  It  is  a  company  of  X  numbers,  hundreds  of  employees, 
and  the  technology  that  goes  into  transacting  the  process  of  those 
claims  from  providers  to  payers. 

Mr.  McDermott.  But  no  access  to  any  database? 

Dr.  Ober.  No,  sir. 

Mr.  McDermott.  You  are  just  selling  the  people;  is  that  what  I 
understand? 
Dr.  Ober.  Peoples,  computers,  hard  assets. 

Mr.  McDermott.  Why  would  WebMD  buy  that  bunch  of  people 
and  not  want  the  database  that  they  have? 
Dr.  Ober.  You  would  have  to  ask  Mr.  Arnold. 
Mr.  McDermott.  How  did  they  cut  them  off? 
Dr.  Ober.  Well,  we  still  are  going  to — 

Mr.  McDermott.  Did  they  say  we  will  leave  this  over  here,  you 
can  buy  everything  but  the  database? 
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Dr.  Ober.  We  were  very  much  arms-length  from  day  one  with 
ENVOY  because  we  have  set  up  these  very  elaborate  encryption 
and  de-identification  processes. 

Mr.  McDermott.  It  does  not  look  like  there  is  much  arms-length 
when  you  see  this,  it  says  product  development  and  commercializa- 
tion. You  are  down  in  the — 

Dr.  Ober.  Informatics. 

Mr.  McDermott.  Informatics.  You  gather  the  information  and 
pass  it  to  the  product  development,  who  then  commercialize  it. 
That  is  what  your  diagram,  that  is  what  your  promo  is? 

Dr.  Ober.  Yes,  and  that  is  maybe  confusing.  I  would  have  to  look 
at  it.  But  what  S3niergy's  core  business  is,  again,  it  is  medical  re- 
search and  it  is  analyzing  transaction  data  which  we  receive 
encrjrpted  and  de-identified  from  ENVOY.  It  has  always  been  our 
business,  even  prior  to  joining  Quintiles  and  that  organization. 

Mr.  McDermott.  With  your  indulgence  for  just  a  second,  then 
what  are  you  worried  about?  This  is  de-identified? 

Dr.  Ober.  Correct. 

Mr.  McDermott.  So  what  are  you  worried  about? 
Dr.  Ober.  Absolutely  nothing. 

Mr.  McDermott.  You  came  down  here  to  Washington  to 
testify — 

Dr.  Ober.  I  was  asked  to  testify,  particularly  I  think  based  on 
the  value  of  de-identified  health  care  information  for  the  public 
good,  as  we  have  met  with  Mr.  Cardin  and  others  throughout  the 
last  several  months.  Quintiles  is  a  very  large  organization,  and  we 
have  clinical  research  groups,  commercialization  groups,  and  of 
course  informatics. 

We  wanted  to  really  rest  assured  that  the  ability  for  our  business 
partners  to  do  the  de-identif5dng  and  continue  to  pass  that  very 
valuable  stream  to  us,  to  do  our  business,  would  not  be  impeded 
by  the  regs.  And  as  near  as  we  can  tell,  it  really  is  not. 

Mr.  McDermott,  But  what  is  the  problem,  when  the  regulation 
simply  requires  the  contract  between  you  and  the  people  who  are 
shipping  this  de-identified  information  to  you,  you  are  a  big  com- 
pany. Why  would  you  bristle  or  object  to  signing  a  simple  contract 
and  say  we  are  not  going  to  give  away  information  that  we  do  not 
have  an5nvay?  What  is  the  problem  with  that? 

Dr.  Ober.  I  went  over  the  three  or  four  points  that  we  were  con- 
cerned about  in  my  testimony,  and  which  we  have  submitted.  We 
wanted  to  really  rest  assured  that  our  ability  to  do  the  de-identi- 
fication, receive  de-identified  data,  would  not  be  encumbered  by  the 
regs.  And  the  early  drafts  were  still  questionable. 

I  think  the  rule,  as  we  have  read  it  today,  we  appear  to  be  very 
comfortable  with  it. 

Mr.  McDermott.  So  you  are  setting  up  a  false  ghost  here,  and 
you  are  now  clobbering  it;  right?  We  do  not  want  that  ghost?  Be- 
cause it  is  not  in  the  regs  now. 

Dr.  Ober.  We  are  certainly  glad  to  hear  you  say  that  and  we 
agree  that  most  of  what  we  were  looking  for  is  not  in  the  regs,  so 
we  are  quite  pleased  by  that.  Setting  up  contracts  with  individual 
business  partners  of  which  for  example,  wearing  my  ENVOY  affili- 
ate hate  right  now,  ENVOY  has  thousands  of  business  partners. 
And  it  becomes  quite  unclear  whether  or  not  those  business  part- 
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ners  have  to  execute  contracts  with  ENVOY,  of  which  there  are 
thousands  or  tens  of  thousands,  providers,  pharmacies,  payers,  et 
cetera,  et  cetera. 

Mr.  McDermott.  When  you  get  that  data,  you  guarantee  that  no 
one  can  xinscramble  your  encryption  and  get  out  names  or  an3dhing 
else,  or  mailing  lists  for  anything? 

Dr.  Ober.  It  is  as  secure  as  anj^hing  that  is  technologically 
available,  is  what  I  can  rest  assured  on. 

Mr.  McDermott.  I  really  find  it  hard  to  imderstand  why  you  are 
here,  what  you  are  worried  about.  If  you  are  not  exposing  individ- 
uals in  the  society — 

Dr.  Ober.  That  is  correct. 

Mr.  McDermott. — in  any  way,  why  should  these  regulations 
bother  you?  It  is  very  curious  to  me.  Maybe  somebody  else  knows 
what  he  is  worried  about.  I  do  not  know.  Ms.  Goldman,  do  you 
have  an  idea? 

Ms.  Goldman.  I  am  heartened  actually  to  hear  that  he  supports 
essentially  the  draift  regulation,  which  I  think  is  important.  Be- 
cause if  the  description  is  accurate,  that  what  ENVOY  is  transmit- 
ting is  de-identified,  it  is  then  not  covered  by  the  regulation  at  all. 
The  transmission  of  that  information  is  then  not  covered  because 
it  is  de-identified. 

Mr.  McDermott.  Thank  you  for  your  indulgence  for  an  extra  20 
seconds. 

Chairman  Thomas.  One  of  the  values  of  this  testimony,  I  think, 
beyond  doubt,  especially  your  somewhat  incredulous  belief  that 
there  was  some  value  in  whatever  it  was  that  these  folks  did  from 
a  business  point  of  view — I  was  curious  whether  they  were  publicly 
held  and  how  much  they  were  selling  this  stuff  for — is  just  an  indi- 
cation of  how  much  is  going  on  out  there  that  even  knowledgeable 
people  may  not  be  familiar  with,  but  if  you  say  something  that 
sounds  innocuous,  business  entities  must  and  therefore  in  exten- 
sion with  other  business  partners  create  relationships  in  which  you 
may  have  had  no  intention  whatsoever  of  disrupting,  but  in  fact 
you  may  very  well. 

His  initial  statement,  the  description  of  what  they  do,  the  fact 
that  someone  believes  there  is  value  in  it,  and  that  they  would 
have  to  then  comply  with  everybody  else  who  may  or  may  not  be 
identified  as  business  partners,  I  think  he  has  every  right  to  be 
concerned  about  how  HCFA  in  the  reg  does  identify  business  part- 
ners, notwithstanding  the  content  being  de-identified.  I  doubt  if,  in 
fact,  it  was  going  to  get  into  de-identifying  public  partners  in  terms 
of  the  data  they  have  versus  identified  public  partners  in  the  data 
that  they  have,  versus  those  that  are  merely  transmitters  of  that 
data  from  someone  else. 

It  is  that  kind  of  complexity  that  is  out  there  today  producing 
value  that  people  are  willing  to  spend  literally  millions  of  dollars 
for  that  may,  in  fact,  be  significantly  disrupted.  That  is  the  concern 
we  have.  I  appreciate  the  gentleman  taking  valuable  time  out  of 
doing  whatever  it  is  you  do  that  people  think  is  really  valuable,  for 
however  much  it  is  worth,  to  sensitize  us  to  the  concerns  that  you 
have. 

The  gentleman  from  Maryland? 

Mr.  Cardin.  Thank  you,  Mr.  Chairman. 
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Of  course,  if  we  had  given  HHS  proper  authority  or  delegation 
or  if  we  had  passed  a  bill,  we  woxild  not  have  this  problem.  I  think 
the  only  reason  we  have  this  convoluted  process  is  because  of  the 
desire  of  HHS  to  have  an  enforceable  privacy  act  and  under  the 
HIPAA  statute  they  do  not  have  the  ability  to  do  it.  That  is  why 
we  need  to  enact  a  bill. 

Chairman  Thomas.  I  obviously  totally  agree  with  the  gentleman 
but  I  do  hope  that  people  understand  that,  by  that  inference,  I  do 
not  think  that  you  mean  that  the  HIPAA  legislation  was  designed 
to  be  perverse  or  to  create  a  structure  which  would,  in  anticipation, 
create  the  problems? 

Mr.  Cardin.  No,  I  think  we  anticipated  that  Congress  was  going 
to  pass  a  privacy  act,  and  we  have  not  done  that. 

Chairman  Thomas.  Exactly. 

Mr.  Cardin.  All  these  are  trade-offs.  It  is  interesting,  you  talk 
about  the  trade-offs  for  privacy  for  the  patient  versus  the  need  for 
information  to  be  available  for  good  purposes,  whether  it  be  law  en- 
forcement, whether  it  be  research,  or  whether  it  be  treatment.  And 
there  is  trade-offs  on  cost.  Every  time  we  put  additional  reqmre- 
ments  in  to  protect  privacy,  there  is  going  to  be  some  sacrifice  of 
efficiency.  So  it  is  going  to  be  all  trade-offs. 

I  want  to  just  concentrate  on  one,  which  we  affectionately  call 
the  statutory  authority,  or  when  the  identifiable  information  can  be 
made  available  without  the  specific  authorization  of  the  patient.  If 
I  imderstand  Ms.  Goldman's  point,  you  are  concerned  that  in  the 
regulation  the  use  of  that  information  should  be  signed  off  by  the 
patient.  That  is  the  patient  gives  specific  authorization,  but  must 
know  that  information  can  be  made  available  by  signing  off  on  a 
form  indicating  an  acknowledgement  of  that.  Is  that  correct? 

Ms.  Goldman.  Exactly.  It  essentially  makes  the  notice  require- 
ment that  is  currently  in  the  proposal  more  meaningful.  Right  now, 
the  way  the  health  care  system  operates  is  that  people  do  not  get 
care  or  enroll  in  a  health  plan  unless  they  sign  an  authorization 
form.  People  sign  at  the  point  of  care  and  the  point  of  enrollment 
right  now.  The  Secretary  is  proposing  not  only  eliminating  that 
practice  but  prohibiting  that  practice  for  the  sharing  and  collection 
of  information. 

It  is  not  necessarily  a  meaningful  requirement  right  now  in  cur- 
rent practice,  in  other  words  you  do  not  have  a  real  choice  about 
withholding  your  authorization.  But  it  does,  I  think,  alert  the  pub- 
lic to  how  their  information  is  being  used  and  who  might  get  access 
to  it. 

Mr.  Cardin.  I  certainly  agree  that  notice  should  be  given  to  pa- 
tients. Patients  should  absolutely  know  that.  My  concern  is  what 
happens  if  the  patient  does  not  sign  off  on  the  acknowledgement? 

Ms.  Goldman.  My  imderstanding  of  the  way  the  current  system 
operates  is  that  you  can  withhold  treatment  and  deny  benefits  if 
people  do  not  authorize  the  use  and  disclosure  of  information  for 
treatment  and  payment.  And  right  now,  they  are  authorized  to  re- 
lease the  information  for  a  broad  category — 

Mr.  Cardin.  There  is  broader  reasons  than  just  treatment  and 
pa5nnent.  I  guess  my  question  is  if  the  patient  does  not  sign  off  on 
the  acknowledgement,  or  if  the  user  does  not  have  a  copy  of  that 
in  the  file,  what  does  that  meam? 
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I  think  we  have  to  think  that  ought.  Clearly,  I  agree  with  you, 
notice  is  absolutely  essential,  that  the  person  understands  what 
the  information  can  be  used  for.  I  just  do  not  know  whether  signing 
off  is  the  right  way  to  do  it,  and  whether  that  does  not  just  create 
more  problems  for  Ms.  Fox  and  Ms.  Grealy  on  administrative  costs. 

Dr.  Plested,  I  want  to  just  follow  up,  so  I  understand  the  AMA's 
position,  because  you  have  a  narrower  interpretation  of  what 
should  be  allowed.  You  want  to  have  more  specific  authorization 
from  the  patient.  I  take  it  not  in  regards  to  treatment?  Or  is  it  in 
regard  to  treatment,  also? 

If  you  get  a  request  from  a  physician  who  you  have  referred  a 
patient  to,  can  you  make  that  medical  information  available  with- 
out a  specific  authorization,  under  your  position? 

Dr.  Plested.  Clearly,  if  we  have  had  a  referral  from  another 
physician  and  the  patient  comes  to  see  us,  I  think  there  is  an  im- 
plied consent  that  we  share  the  information  about  that  patient. 

Mr.  Cardin.  So  you  would  not  need  specific  authorization  for 
that? 

Dr.  Plested.  No. 

Mr.  Cardin.  How  about  paying  a  bill?  Would  you  require  specific 
authorization  for  that? 

Dr.  Plested.  This  gets  a  lot  tougher.  Because  what  information 
is  needed  to  pay  a  bill?  Today,  if  I  submit  a  bill  for  a  consultation, 
I  have  to  submit  the  full  consultation  to  the  insurer.  Why  does  the 
insurer  need  to  know  your  mother's  family  history  or  what  your 
sexual  preference  is,  or  anj^hing  else,  because  I  saw  you  because 
you  have  a  sore  foot? 

Mr.  Cardin.  That  is  fair  enough,  I  agree  with  you.  It  should  be 
related  to  the  need  for  pa5rment. 

Dr.  Plested.  That  is  right.  But  now  the  insurer  has  a  form 
signed  that  he  gets  everything,  and  I  cannot  get  paid  without  it. 

Mr.  Cardin.  That  is  specific  authorization  in  most  cases  today. 
The  problem  we  have,  and  I  think  Ms.  Goldman  mentioned  it,  rou- 
tinely when  a  person  signs  up  for  a  health  care  plan  they  sign  a 
lot  of  forms.  In  many  cases,  they  do  not  even  know  what  they  are 
signing.  And  they  are  giving  blanket  authority  right  now  to  release 
everything. 

At  one  point  we  are  going  to  have  to  talk  about  the  use  of  specific 
authorization.  But  I  think  what  HHS  is  trjdng  to  achieve,  and  I 
know  what  Mr.  Thomas  is  attempting  to  do,  is  to  have  reasonable 
statutory  authority  specifically  as  to  what  information  is  really 
needed  so  that  we  get  away  from  these  blanket  authorities,  so  that 
we  get  away  from  people  not  knowing  that  they  have  released  so 
much  information  that  is  unnecessary,  because  your  point  is  well 
taken.  The  doctor  should  not  have  to  submit  the  whole  family  his- 
tory for  payment. 

And  if  we  have  proper  statutory  authority,  I  would  submit,  that 
would  not  be  happening.  But  because  of  the  absence  of  statutory 
authority  in  this  area,  we  find  that  there  is  more  information  being 
made  available  through  specific  authorization  than  is  needed. 

Dr.  Plested.  And  if  I  could  continue  that,  that  goes  directly  to 
the  Chairman's  question  about  whether  we  have  a  floor  or  a  pre- 
emptive rule,  and  it  depends  on  where  the  bar  is.  If  the  bar  is  high 
like  you  suggest  to  protect  patient's  privacy  for  only  that  informa- 
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tion  that  is  absolutely  necessary,  the  AMA  says  yes,  we  will  look 
at  a  Federal  preemption. 

But  now  the  Secretar/s  bar  is  so  low,  protecting  the  patient  and 
giving  any  entity  outside  all  the  information  that  they  want,  that 
is  why  we  feel  that  stronger  state  laws  are  important. 

Mr.  Cardin.  Thank  you,  Mr.  Chairman. 

Chairman  Thomas.  Thank  the  gentleman.  I  want  to  thank  all  of 
the  witnesses  and  the  members.  Another  question?  Go  ahead. 

Mr.  McDermott.  I  appreciate  your  letting  me  ask  one  more 
question. 

Chairman  Thomas.  I  reserve  the  right  to  thank  all  members. 

Mr.  McDermott.  I  want  to  go  back  to  Dr.  Ober.  The  Quintiles 
1998  report  states  that  by  combining  services  and  connections  and 
information  "Quintiles  is  creating  on  the  Internet  a  unique  soft- 
ware bridge  of  information  between  pharmaceutical  products,  pa- 
tients, physicians,  payers  and  regulators." 

Now,  they  do  clinical  trials? 

Dr.  Ober.  Correct. 

Mr.  McDermott.  So  they  have  somebod/s  name  then;  correct? 
Dr.  Ober.  I  am  sorry,  sir? 

Mr.  McDermott.  They  have  somebod/s  name  then,  when  they 
are  doing  a  cliriical  trial? 

Dr.  Ober.  For  cUnical  trial  purposes  they  certainly,  they  would 
have  the  names  at  the  physicians'  clinical  site,  but  everybody  is 
blinded,  to  the  best  of  my  knowledge,  to  information  that  is  central- 
ized. The  clinical  trial  results  in  many,  many  sites  worldwide. 
Where  an  individual  would  collect,  through  case  report  forms,  a  va- 
riety of  critical  information  about  the  study  at  hand. 

Mr.  McDermott.  So  Quintiles  never  receives  anybody's  name, 
ever? 

Dr.  Ober.  No,  I  cannot  make  that  statement,  sir.  Actually,  our 
informatics  group  does  not  work  with  the  clinical  trials  group  at 
all. 

Mr.  McDermott.  But  you  are  all  connected  in  this  business  rela- 
tionship in  your  picture  here;  right? 

Dr.  Ober.  Not  S3niergy,  sir.  Not  ENVOY.  The  clinical  trials  capa- 
bility, if  you  will,  which  is  emerging  for  administrative  efficiency  to 
take  place  over  the  Internet  and  other  interactive  connectivities,  is 
not  part  of  the  core  business  of  the  informatics  group  at  all. 

Mr.  McDermott.  But  you  are  all  business  partners,  by  the  defi- 
nition of  this  rule  and  regulation;  correct? 

Dr.  Ober.  Okay,  well,  business  partners  with  respect  to  the  fact 
if  we  were  using  that  information,  which  we  are  not.  We  have  noth- 
ing to  do  with  the  clinical  trial  site  of  Quintiles.  It  is  a  separate 
entity. 

I  know  the  diagrams  can  be  misleading,  but  there  is  no  relation- 
ship at  all  between  the  clinical  trials  group  and  the  information 
they  collect  is  completely  different  information  for  very  specific 
clinical  purposes,  which  I  believe  is  outside  the  reg,  as  opposed  to 
what  we  are  doing  with  de-identified  information  at  Synergy  and 
the  informatics  group.  Completely  different  datasets. 

Mr.  McDermott.  We  have  the  wrong  guy  here.  We  should  have 
the  guy  from  Quintiles,  as  to  whether  he  lets  the  information  go 
over  to  the  commercialization  under  Inovex,  right? 
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Dr.  Ober.  I  can  assure  you  that  there  is  no  connection  between 
patient  names  going  from  clinical  trails  to  Inovex.  That  I  can  as- 
sure you  of,  sir. 

Mr.  McDermott.  Thank  you,  Mr.  Chairman. 

Chairman  Thomas.  As  they  usually  say,  this  prospectus  is  for  in- 
formation only  and  it  should  not  be  considered  to  be  legal.  They 
have  a  whole  lot  of  papers  on  file,  and  you  are  working  off  of  one 
little  picture  here. 

It  is  very  complicated  and  if  they  have  any  clinical  trials  worth 
their  salt,  they  are  usually  double-blind  at  the  time  of  the  clinical 
trials. 

Dr.  Ober.  That  is  exactly  correct. 

Chairman  Thomas.  Let  alone  with  the  transmittal  of  informa- 
tion. 

I  thank  the  gentleman  very  much. 

I  also  thank  all  of  you  and,  as  I  intended  to  say  initially,  this  is 
a  very  difficult  area.  I  appreciate  everybody  keeping  the  politics 
down  to  a  minimum  and,  in  fact,  very  visible  because  the  policy  is 
tough  enough  standing  on  its  own. 

Thank  you  very  much  and  I  look  forward  to  working  with  you  as 
we  move  forward.  The  subcommittee  stands  adjourned. 

[Whereupon,  at  12:43  p.m.,  the  hearing  was  adjourned.] 

[Submissions  for  the  record  follow:] 

Statement  of  the  American  Academy  of  Pediatrics 

The  American  Academy  of  Pediatrics  was  pleased  to  comment  on  the  November 
3,  1999  Notice  of  Proposed  Rules  on  Standards  for  Privacy  of  Individually  Identifi- 
able Health  Information.  The  Academy  and  its  55,000  members  support  the  goal  of 
protecting  the  privacy  of  identifiable  health  information.  These  proposed  regulations 
are  an  important  first  step.  However,  because  the  Health  Insurance  Portability  and 
Accountability  Act  of  1996  gives  the  Department  of  Health  and  Human  Services 
only  limited  authority  in  this  area,  federal  legislation  protecting  the  privacy  of  all 
identifiable  health  information  used  by  all  entities  is  still  necessary. 

Our  comments  address  many  provisions  of  the  proposed  regulations.  In  particular, 
we  would  like  to  highlight  the  following: 

1)  Adolescents  have  a  unique  need  for  privacy  concerning  the  many  sensitive 
issues  they  often  face.  In  many  cases  adolescents  will  obtain  health  care  only  if  they 
are  guaranteed  that  their  parents  will  not  learn  about  it.  The  privacy  regulations 
must  protect  adolescents'  rights.  Generally,  the  regulations  create  a  "floor,"  pre- 
empting less  stringent  state  laws  on  privacy  of  health  information.  However,  the 
regulations  have  a  "hole  in  the  floor"  since  minors  are  not  guaranteed  that  the  fed- 
eral regulations  will  preempt  less  stringent  state  laws  concerning  their  confidential- 
ity rights.  The  regulations  should  provide  minors  with  a  uniform  privacy  standard, 
must  preserve  health  care  providers'  ability  to  treat  adolescents  confidentially  and 
must  ensure  that  minors  and  their  parents  are  informed  of  their  privacy  rights. 

2)  Health  care  providers  should  not  be  held  accountable  if  protected  health  infor- 
mation is  used  for  prohibited  purposes  by  the  entities  to  which  they  disclose  the  in- 
formation. Once  the  information  has  been  transmitted  responsibly  to  a  legitimate 
entity  for  a  specified  purpose,  its  privacy  should  be  the  responsibility  of  the  receiv- 
ing party. 

3)  Privacy  standards  should  apply  to  all  identifiable  health  information,  regard- 
less of  whether  it  has  ever  been  electronically  trsmsmitted  or  maintained. 

4)  The  scalable  nature  of  the  regulations  is  very  important  in  preventing  an 
\mdue  burden  for  physicians  and  ensuring  effective  provision  of  health  care. 

5)  The  provisions  regarding  research  require  substantial  revision  and  clarification 
to  better  direct  Institutional  Review  Boards  and  privacy  boards  and  so  that  respon- 
sible research  into  important  health  concerns  is  not  hampered. 

The  fiill  text  of  the  AAP  comments  will  be  avEolable  shortly  at  "http:l  I 
www.aap.org" 
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The  AAP  comments  Eire  also  endorsed  by  the  Association  of  Medical  School  Pedi- 
atric Department  Chairs,  the  American  Pediatric  Society,  and  the  Society  for  Pedi- 
atric Research 


American  College  of  Phsicians- 
American  Society  of  Internal  Medicine 
Washington,  DC  20006-1834 

February  17,  2000 

Margaret  Ann  Hamburg,  M.D. 
Assistgint  Secretary  for  Planning  and  Evaluation 
U.S.  Department  of  Health  and  Human  Services 
Attention:  Privacy-P 

Room  G-322A,  Hubert  H.  Humphrey  Building  '  ^ 

200  Independence  Avenue,  SW 
Washington,  D.C.  20201 

Re:  Comments  on  the  Proposed  Standards  for  Privacy  of  Individually  Identifiable 
Health  Information,  45  CFR  Parts  160-164,  64  Fed.  Reg.  59917  (November  3,  1999) 

Dear  Dr.  Hamburg: 

The  American  College  of  Physicians-American  Society  of  Internal  Medicine  (ACP- 
ASIM),  representing  116,000  physicians  who  specialize  in  internal  medicine  and 
medicsJ  students,  is  pleased  to  submit  comments  in  response  to  the  Notice  of  Pro- 
posed Rulemaking  (NPRM)  issued  by  the  Department  of  Health  and  Human  Serv- 
ices (HHS)  and  pubUshed  in  the  Federal  Register  dated  November  3,  1999.  ACP- 
ASIM  is  in  a  unique  position  to  evaluate  patient  privacy  legislation:  our  members 
represent  the  gamut  of  internal  medicine,  including  both  general  internists  and  sub- 
speciaUsts  engaged  in  the  practice  of  internal  medicine  as  individual  practitioners, 
members  of  group  practices,  government  employees,  professors  of  medicine,  and 
medical  researchers. 

Summary  of  Comments 

•  We  support  the  flexibiUty  that  wo\ild  reject  a  "one  size  fits  all"  approach  in  im- 
plementing the  privacy  provisions,  and  the  "minimum  necessary"  standard; 

•  We  support  the  way  the  rule  deals  with  disclosure  of  protected  health  informa- 
tion for  research  purposes,  protecting  patient  privacy  without  imposing  undue  bur- 
dens that  would  impede  research; 

•  We  support  providing  patients  with  the  right  to  inspect,  copy  and  amend  their 
patient  records,  and  requiring  notice  to  patients  of  their  privacy  rights  and  of  how 
their  medical  information  might  be  used  or  disclosed; 

•  We  support  the  provisions  regarding  pubhc  health  activities,  health  oversight, 
and  judicial  and  administrative  proceedings; 

•  In  general,  we  oppose  allowing  the  use  and  disclosure  of  confidentisQ  medical 
records  without  individual  authorization  for  treatment,  payment  and  health  care  op- 
erations (as  defined  in  the  NPRM); 

•  We  are  very  concerned  that  the  provisions  on  business  partners  would  be  very 
difficult  to  enforce,  create  open-ended  and  impredictable  hability  for  physicians  and 
are  unduly  burdensome; 

•  We  beUeve  the  provisions  concerning  law  enforcement  are  too  broad  and  would 
violate  privacy  rights; 

•  The  costs  of  implementing  the  proposed  rule  have  been  vastly  underestimated 
and  would  have  a  disproportionate  impact  on  small  business;  and 

•  Physicians,  especially  those  in  small  practices,  will  be  subject  to  disproportion- 
ate administrative  burdens  as  a  result  of  the  proposed  rule,  £md  should  be  exempted 
fi-om  the  most  onerous  provisions  of  the  rule.  Physicians,  unlike  some  of  the  other 
covered  entities,  are  already  boimd  by  ethical  obHgations  to  uphold  confidentiality 
and  privacy  rights  of  patients. 

General  Comments 

Confidentiahty  is  increasingly  difficult  to  maintain  in  this  era  of  computerized 
record  keeping  and  electronic  data  processing,  faxing  of  patient  information,  third- 
party  pa5rment  for  medical  services  and  sharing  of  patient  care  among  nimierous 
medical  professionals  and  institutions.  ACP-ASIM  commends  HHS  for  tackling  this 
difficult  and  complex  issue  and  for  attempting  to  ensure  protection  of  patient  con- 
fidentiahty without  impeding  or  preventing  access  to  data  that  is  essentisd  to  the 
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efficient  delivery  of  quality  patient  care  and  for  medical,  public  health  and  health 
services  research.  Given  the  limitations  on  HHS's  authority,  the  approach  of  tr5ring 
to  protect  the  information  itself  is  understandable.  We  are  concerned,  however,  that 
the  proposal  generally  sweeps  all  covered  entities  together  under  the  same  complex 
regulatory  framework.  Individual  physicians,  governed  by  ethical  codes  of  conduct 
and  state  professional  disciplinary  codes,  are  being  lumped  together  with  large  insti- 
tutional providers,  health  plans,  and  clearinghouses.  Are  there  data  to  suggest  that 
individual  headth  care  professionals  are  routinely  and  intentionally  breaching  con- 
fidentiality, or  that  patients  fear  that  they  are?  Anecdotally,  patients  express  con- 
cerns about  health  plans,  organizations  and  institutions  breaching  confidentiality, 
not  their  individual  physicians.  Physicians  are  obligated  to  protect  patient  confiden- 
tiality, especially  in  light  of  the  increased  risk  for  invasion  of  patients'  privacy  fi*om 
the  computerization  and  electronic  transmission  of  medical  records.  We  are  con- 
cerned that  the  rule,  proposed  as  "a  basic  set  of  legal  controls,"  might  be  viewed 
instead  as  all  that  is  required  of  physicians,  and  could  undermine  the  traditional 
ethical  and  professional  obligations  to  uphold  confidentiality.  Moreover,  the  pro- 
posed rule  does  not  cover  entities  that  are  more  likely  to  wrongfully  disclose  and 
misuse  confidential  information. 

The  ACP-ASIM  recognizes  the  need  for  appropriate  safeguards  to  protect  patient 
privacy,  because  trust  and  respect  are  the  cornerstones  of  the  patient-physician  rela- 
tionship and  quality  health  care.  Presence  of  trust,  respect,  and  privacy  create  an 
atmosphere  in  which  full  disclosure  of  information  fi-om  patient  to  physician  can 
occur,  enhancing  treatment.  Patients  have  a  basic  right  to  privacy  that  includes  the 
information  contained  in  their  medical  records.  Medical  personnel  who  collect  health 
information  have  a  responsibility  to  protect  patients  fi'om  invasion  of  their  privacy. 
Patients  need  to  be  treated  in  an  environment  in  which  they  feel  comfortaole  dis- 
closing sensitive  personal  information  to  a  physician  that  they  trust.  Otherwise, 
they  may  fail  to  fully  disclose  conditions  and  symptoms,  thereby  reducing  the  effec- 
tiveness of  treatment  and  perhaps  seriously  imperiling  their  health,  or,  they  may 
avoid  seeking  care  altogether  for  fear  of  the  negative  consequences  that  could  result 
from  a  disclosure.  Physicians  have  a  responsibility  to  respect  patient  privacy  first, 
except  when  doing  so  may  result  in  serious  harm  to  the  patient  or  others,  or  when 
required  by  law.  See  ACP-ASIM  Ethics  Manual  (Fourth  Edition),  Annals  of  Internal 
Medicine  1998,  128:  576-594).  We  are  concerned  that  the  NPRM  goes  too  far  in  the 
direction  of  disclosure  of  protected  health  information  without  individual  authoriza- 
tion; our  concerns  in  this  regard  are  set  forth  in  more  detail  under  the  section  deal- 
ing with  "Treatment,  Payment  and  Health  Care  Operations," 

The  NPRM  is  an  important  step  in  ensuring  federal  protection  for  the  privacy  of 
medical  records  and  represents  significant  progress  toward  finding  the  right  balance 
between  the  privacy  rights  of  patients  and  the  free  flow  of  information  that  is  nec- 
essary for  the  provision  of  effective  and  efficient  health  care  services.  The  limited 
scope  of  HHS's  authority  pursuant  to  the  Health  Insurance  Portability  and  Account- 
ability Act  (HIPAA)  of  1996,  however,  illustrates  that  comprehensive  federal  privacy 
legislation  is  needed.  Because  of  the  limitations  imposed  on  HHS,  too  many  burdens 
for  compliance  are  placed  on  physicians.  While  we  are  not  suggesting  that  the 
medical  privacy  rule  should  not  be  applied  to  physicians,  we  do  think  that 
there  should  be  a  reexamination  of  the  need  for  some  of  the  provisions,  as 
they  would  be  applied  to  small  physician  oftices.  To  the  extent  that  small 
physician  practices  are  not  exempted  from  the  provisions,  HHS  should 
apply  them  in  the  least  burdensome  fashion. 

Introduction  to  General  Rules 

ACP-ASIM  supports  the  "scalabilit)^'  approach  taken  in  the  NPRM,  under  which 
a  "one  size  fits  all"  standard  would  be  rejected  for  the  implementation  of  the  privacy 
provisions.  It  is  critical  that  each  affected  entity  be  able  to  assess  its  own  needs  and 
devise,  implement  and  maintain  appropriate  privacy  policies,  procedures  and  docu- 
mentation to  address  its  business  requirements.  Our  members  range  from  physi- 
cians working  in  solo  practitioners'  offices  to  multi-group  practices  to  academic 
health  centers,  all  of  which  have  different  needs  and  business  practices. 

ACP-ASIM  also  supports  the  stated  general  approach  of  the  rule  whereby  pro- 
tected health  information  (PHI)  could  not  be  used  or  disclosed  by  covered  entities 
except  as  authorized  by  the  individual  who  is  the  subject  of  such  information  or  as 
explicitly  provided  in  this  rule.  We  disagree,  however,  with  the  actual  approach 
taken  by  HHS  whereby  most  uses  and  disclosures  of  an  individual's  PHI  would  not 
reqiiire  explicit  individual  authorization  (see  discussion  below). 

Since  Congress  has  not  yet  passed  comprehensive  confidentiality  legisla- 
tion, ACP-ASIM  believes  that  special  safeguards  are  needed  to  cover  cer- 
tain highly  sensitive  parts  of  a  patient's  medical  record,  such  as  HIV  status. 


91 

mental  health  disorders,  drug  and  alcohol-related  problems,  sexually  trans- 
mitted diseases,  sickle-cell  anemia,  sexual  orientation,  and  other  highly 
sensitive  health  information. 

Treatment,  Payment  and  Health  Care  Operations 

Subject  to  limited  exceptions  for  psychotherapy  notes  and  research  information 
unrelated  to  treatment,  a  covered  entity  would  be  permitted  to  use  or  disclose  pro- 
tected health  information  (PHI)  without  individual  authorization  for  treatment,  pay- 
ment or  health  care  operations.  The  proposal  would  actually  prohibit  covered  enti- 
ties from  seeking  individual  authorization,  unless  rec^uired  by  State  or  other  appli- 
cable law.  While  ACP-ASBM  recognizes  that  this  proposal  is  intended  to 
make  the  exchange  of  PHI  relatively  easy  for  health  care  purposes  and 
more  difficult  for  other  purposes,  we  are  very  concerned  that  this  ap- 
proach would  allow  the  use  and  disclosure  of  confidential  medical  records 
without  the  consent  of  the  patient  in  extraordinarily  broad  circumstances. 
The  proposed  rule  allow  records  to  be  shared  without  limit  throughout  the  health 
care  system;  the  confidentiality  of  medical  records  can  be  set  aside  for  almost  any 
reason  at  all.  This  approach  undermines  the  bedrock  principle  critical  to  the  physi- 
cian-patient relationship  of  informed  consent,  and  will  undercut  traditional  codes  of 
medical  ethics. 

Confidentiality  between  the  doctor  or  other  health  care  professional  and  the  pa- 
tient is  an  essential  component  of  high  quahty  health  care.  Physicians  must  obtain 
informed  volimtary  consent  from  the  patient  before  their  medical  information  is  dis- 
closed for  any  purpose,  except  for  appropriately  structured  medical  research  (see 
below)  or  as  required  by  law.  (ACP-ASIM  Code  of  Ethics;  "Confidentiality  of  Elec- 
tronic Medical  Records,"  Public  Policy  Paper  2000).  At  some  point  in  the  treatment 
relationship  between  the  patient  and  the  physician,  preferably  at  the  first  encoun- 
ter, there  should  be  some  tjrpe  of  signed  written  authorization  that  is  a  legal,  in- 
formed consent  to  the  release  of  PHI  for  treatment  and  payment  purposes.  ACP- 
ASIM  supports  the  approach  taken  in  S.  578  (Jeffords-Dodd),  e.g.,  some  form  of  con- 
solidated authorization  by  which  health  care  providers  and  organizations  can  per- 
form their  various  functions  without  having  to  stop  and  obtain  authorization  at 
every  point  in  a  patient's  treatment.  Consent  is  particularly  important  since  the  pro- 
pose generally  would  not  restrict  to  whom  disclosures  could  be  made  for  treatment, 
payment  or  operations.  When  disclosures  are  made  to  non-covered  entities  (other 
than  business  partners),  the  protections  afforded  by  this  rule  would  not  be  apphca- 
ble.  While  this  limitation  points  to  the  need  for  passage  of  more  comprehensive  pri- 
vacy legislation,  until  such  legislation  is  passed,  individual's  health  information 
must  be  protected  more  strongly  than  provided  under  the  NPRM. 

Likewise,  allowing  disclosure  of  PHI  without  authorization  for  health  care  oper- 
ations is  problematic,  given  the  broad  definition  of  "health  care  operations."  As  in- 
dicated above,  ACP-ASIM  supports  requiring  authorization  before  PHI  can 
be  used  or  disclosed  for  most  health  care  operations.  At  the  very  least,  the 
definition  of  what  is  considered  to  be  health  care  operations  should  be  nar- 
rowed to  include  only  those  activities  that  truly  are  related  to  treatment 
or  payment. 

Minimum  Necessary 

ACP-ASIM  agrees  with  HHS  that  a  covered  entity  must  make  all  reasonable  ef- 
forts not  to  use  or  disclose  more  than  the  minimum  amoimt  of  PHI  necessary  to  ac- 
complish the  intended  purpose  of  the  use  or  disclosure.  Access  should  be  limited  to 
only  those  individuals  who  need  access  to  the  information  to  accomplish  the  use  or 
disclosure.  De-identified  patient  data  should  always  be  used  in  medical  research  and 
quality  improvement  processes,  unless  the  natiu^e  of  the  research  necessitates  iden- 
tification because  coded  data  would  be  impracticable. 

We  support  the  use  of  firewalls  to  limit  the  possibility  for  improper  data  uses 
within  an  entity,  but  note  that  the  proposed  scalability  standard  is  particularly  de- 
sirable in  creating  barriers  to  access  and  review  of  PHI.  Physicians  meiintain  records 
in  a  variety  of  settings,  fi^om  large  academic  institutions  to  private  offices  with  two 
staff  members  who  perform  all  administrative  functions.  Current  conditions  in  medi- 
cal offices  typically  place  physical  barriers  between  medical  records  and  non-staff, 
as  well  as  limiting  business  partners'  access  to  records. 

Practice  management  software  and  electronic  medical  record  software  packages 
are  widely  used  by  health  care  providers.  Privately  owned  physician  offices  have 
Hmited  access  to  technology  with  the  capacity  to  create  firewalls  within  their  offices. 
Although  software  packages  are  available  with  a  wide  range  of  customizable  fea- 
tures, they  typically  do  not  hmit  access  on  a  field-by-field  basis.  Many  programs 
limit  access  on  a  screen-by-screen  basis  or  a  function  basis  (such  as  appointment 
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scheduling,  billing,  viewing  laboratory  results),  but  these  are  not  completely 
customizable.  Purchase  of  custom  programming  or  replacement  of  current  computer 
systems  would  represent  an  undue  burden  on  providers  who  currently  have  as  Uttle 
as  $300  or  as  much  as  $50,000  invested  in  computer  software.  Encryption  tech- 
nology is  not  currently  available  to  most  small  businesses. 

Proposed  §  164.506(b)  generally  would  place  the  responsibiUty  for  determining 
what  is  the  "minimum  necessary"  disclosure  on  the  covered  entity  making  the  dis- 
closure. Covered  entities  would  be  required  to  make  "reasonable  efforts"  and  to 
incur  "reasonable  expense"  to  Umit  the  use  and  disclosure  of  PHI.  This  standard, 
while  flexible,  when  combined  with  the  scsdabiUty  approach  leaves  a  health  care 
provider's  staff  with  a  large  amount  of  discretion  and  complete  habihty.  It  is  not 
clear  what  "reasonable"  means  in  this  context;  there  is  much  gray  area  between 
what  is  "necessary"  information  for  medical  reasons  and  what  is  too  much  disclo- 
sure. In  addition,  a  covered  entity  would  be  required  to  review  each  request  for  dis- 
closure individually  on  its  own  merits,  rather  than  institute  a  poUcy  to  approve  cer- 
tain types  of  requests.  This  provision  will  require  that  an  individual  with  authority 
and  Imowledge  to  make  "minimum  necessary"  determinations  must  review  each 
record  request.  In  small  practices,  page-by-page  review  of  multiple  record  requests 
on  a  daily  basis  could  pose  excessive  administrative  time  requirements.  In  many 
cases,  it  will  be  cumbersome  to  determine  the  exact  need  for  every  piece  of  informa- 
tion and  exact  measurement  of  information  that  may  be  required  to  meet  that  need. 

We  would  encourage  HHS  to  reconsider  the  excessive  requirements  placed  upon 
cUnical  staff  by  transferring  the  burden  of  responding  to  medical  record  requests 
from  clinical  staff  to  administrative  personnel.  Each  hour  of  record  review  is  de- 
ducted from  the  limited  time  that  physicians  and  nurses  are  able  to  perform  their 
primary  functions,  caring  for  patients.  Covered  entities,  particularly  small  busi- 
nesses, should  be  allowed  to  create  an  internal  policy  to  allow  clerical  staff 
to  respond  to  many  routine  types  of  releases,  including  1)  disclosures  al- 
lowed under  any  section  of  this  proposed  rule  without  patient  authoriza- 
tion, and  2)  any  request  accompanied  by  a  written  authorization  signed  by 
the  patient.  Moreover,  the  burden  should  be  on  the  requestor  of  the  infor- 
mation to  make  the  "minimum  necessary  demand.^ 

Right  to  Restrict 

ACP-ASIM  generally  supports  the  right  of  an  individual  to  request  that  a  covered 
entity  restrict  further  uses  and  disclosures  of  PHI  for  treatment,  pajrment  or  health 
care  operations.  However,  administering  a  system  in  which  some  information  is  pro- 
tected and  other  information  is  not  poses  significant  challenges.  In  reahty,  this  right 
will  be  severely  hampered  by  health  care  providers'  contractual  obhgations  to  insur- 
ers. Managed  care  organizations  normally  require  that  participating  physicians  not 
enter  into  private  contracts  for  treatment  and  payment  outside  the  physician's  con- 
tract with  the  MCO.  Thus,  in  its  practical  apphcation,  this  right  may  be  restricted 
to  self-pay  patients. 

In  cases  not  involving  reimbursement,  such  as  release  to  other  physicians,  provid- 
ers may  make  good  faith  efforts  to  avoid  those  disclosures,  but  implementing  secu- 
rity systems  and  tracking  those  limitations  will  be  extremely  difficult  due  to  sys- 
tems limitations.  Electronic  systems  do  not  provide  the  capacity  to  exclude  trans- 
missions to  particular  providers.  Physician  office  groups  may  request  paper  records 
and  administrative  staff  may  be  unaware  of  the  affihation  of  a  particular  provider 
within  that  group.  Tracking  a  myriad  of  restrictions  may  be  impractical  and  could 
result  in  denial  of  all  requests  to  avoid  disclosure  HabiHties.  We  would  support 
providing  examples  in  the  final  rule  of  appropriate,  scalable  systems  that 
would  be  in  compliance  with  this  proposed  provision. 

The  Preamble  notes  that  the  proposed  rule  would  not  require  a  covered  entity  to 
agree  to  a  request  to  restrict,  or  to  treat  or  provide  coverage  to  an  individual  re- 
questing a  restriction.  HHS  correctly  recognizes  that  the  medical  history  and 
records  of  a  patient,  particularly  information  about  current  medications  and  other 
therapies,  are  often  very  much  relevant  when  new  treatment  is  sought.  Physicians 
have  an  ethical  and  in  many  cases  legal  obhgation  to  treat  a  patient  until  that  pa- 
tient has  been  formally  transferred  to  the  care  of  another  provider  and/or  dis- 
charged. Provisions  should  be  made  to  accommodate  provider  treatment 
and  disclosure  after  the  covered  entity  has  refused  a  non-disclosure  re- 
quest. 

Creation  of  De-identified  Information 

ACP-ASIM  supports  the  approach  proposed  in  §  164.506(d)  for  de-identifying 
identifiable  information  and  the  use  of  restrictions  designed  to  ensure  that  de-iden- 
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tified  information  is  not  used  inappropriately.  We  believe  that  health  information 
shoijQd  be  encrjrpted  before  being  transmitted  electronically  for  research  purposes. 
For  the  majority  of  physicians  in  private  practice,  however,  development  and  imple- 
mentation of  procedures  for  stripping  identifiers  will  be  cumbersome.  A  typical  phy- 
sician's office  has  neither  the  technical  ability  to  create  de-identified  data  nor  the 
staff  to  manually  de-identify  data.  We  support  a  "reasonableness"  standard 
whereby  entities  with  sufficient  statistical  experience  and  expertise  could 
remove  or  code  a  different  combination  of  information. 

Business  Partners 

We  have  major  concerns  with  and  strongly  object  to  the  business  partner  provi- 
sions. While  we  recognize  the  limitations  imposed  on  the  authority  of  HHS  to  di- 
rectly regulate  entities  other  than  health  plans,  health  care  providers  and  clearing- 
houses, we  are  concerned  that  under  the  business  partner  provisions,  physicians 
would  become  regulators  for  HHS.  These  provisions  would  not  only  be  unduly  bur- 
densome to  physicians,  but  also  woidd  be  exceedingly  difficult  to  enforce.  Physicians 
would  be  exposed  to  open-ended,  impredictable  liability.  Each  of  these  concerns  is 
discussed  in  further  detail  below. 

Under  the  proposal,  for  purposes  other  than  consultation  or  referral  for  treatment, 
covered  entities  would  be  able  to  disclose  PHI  to  business  partners  only  pursuant 
to  a  written  contract  that  would  limit  the  business  partners  uses  and  disclosures 
of  PHI.  The  contract  between  the  covered  entity  and  the  business  partner  would  be 
required  to  include  certain  pro\dsions  that  are  specified  in  the  proposal.  Each  speci- 
fied contract  term  would  be  considered  a  separate  implementation  specification 
under  the  proposal,  and  a  covered  entity  would  be  responsible  for  assuring  that  the 
business  partner  meets  each  such  implementation  standard.  These  complex  contract 
terms  and  new  obligations  wiU  necessitate  the  investment  of  much  more  time  and 
resources  by  medic^  and  legal  personnel.  Business  partners  may  incur  substantial 
expenses  in  meeting  privacy  requirements,  which  could  result  in  more  expensive 
contracts  for  health  care  providers. 

Non-comphance  by  a  business  partner  or  its  sub-contractor  of  the  terms  of  the 
contract  could  expose  the  physician  to  significant  civil  or  criminal  sanctions.  Physi- 
cians would  be  in  violation  of  the  rule  if  they  knew  or  "reasonably"  should  have 
known  of  a  material  breach  of  the  contract  by  a  business  partner  and  failed  to  take 
reasonable  steps  to  cure  the  breach  or  terminate  the  contact.  Physicians  would  also 
be  responsible  for  mitigating  the  harm  caused  by  such  violations.  It  will  be  very  dif- 
ficult, if  not  impossible,  for  most  physicians  to  enforce  the  required  contracts.  No 
analysis  has  been  done  of  the  number  of  single-source  business  partners  used  by 
health  care  providers.  A  Medicare  carrier  acting  as  a  fiscal  intermediary,  for  exam- 
ple, would  qualify  as  a  business  partner.  However,  HHS  awards  single-source  con- 
tracts, leaving  the  physician  with  no  viable  alternative  if  required  to  terminate  a 
contract.  These  provisions,  by  making  physicians  liable  for  disclosures  by 
others  not  under  their  control,  raise  serious  questions  of  fairness,  and 
should  not  be  included  in  the  final  ride. 

Business  partners  will  be  impacted  by  the  need  to  maintain  business  records  for 
legal  and/or  financial  auditing  purposes.  This  may  make  the  destruction  or  return 
of  aU  PHI  unlikely  or  impossible  in  certain  circumstances.  For  example,  billing  serv- 
ices are  subject  to  HHS  audit.  If  business  partners  cannot  maintain  PHI,  they  can- 
not provide  documentation  of  coding  or  submissions  material,  nor  protect  themselves 
fi:'om  claims  made  against  them  related  to  bookkeeping  errors.  Computer  back-ups 
that  are  maintained  by  many  business  partners  might  include  PHI.  Business  part- 
ners cannot  be  expected  to  destroy  all  forms  of  electronic  back-up  just  because  they 
have  completed  work  for  one  particular  client.  Outside  entities  that  provide  finan- 
cial services  and  have  access  to  information  included  on  standard  explanation  of 
benefits  forms  will  also  be  required  to  identify  and  destroy  substantial  numbers  of 
documents.  Such  entities  could  include  banking  entities  providing  lockbox  services, 
billing  services,  third-party  medical  collection  agencies,  third-party  coding  experts, 
consulting  and  auditing  services  and  third-party  claims  processors,  such  as  Medi- 
care carriers. 

Finally,  and  perhaps  of  most  concern,  a  requirement  included  in  the  proposed  con- 
tractual agreement  would  create  a  private  right  of  action.  Individuals  whose  PHI 
is  disclosed  by  a  business  partner  in  violation  of  the  rule  would  be  considered  to 
be  third-party  beneficiaries.  As  a  third-party  beneficiary,  a  patient  would  have  a 
right  under  contract  law  to  enforce  the  terms  of  the  agreement  by  seeking  damages 
against  the  breaching  business  partner  and  against  the  covered  entity  for  failure  to 
select  and  monitor  properly  the  business  partner.  Covered  entities  would  most  likely 
have  to  purchase  a  rider  imder  their  insurance  poHcies  in  order  to  be  covered 
against  such  claims. 
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Uses  and  Disclosures  with  Individual  Authorization 

The  regulation  would  require  that  covered  entities  have  authorization  from  indi- 
viduals before  using  or  disclosing  their  PHI  for  any  purpose  not  otherwise  recog- 
nized by  this  regulation.  ACP-ASIM  supports  the  requirement  that  individuals 
must  give  specific  authorization  before  a  covered  entity  could  use  or  disclose  PHI 
for  purposes  imrelated  to  health  care  treatment  or  payment.  (As  discussed  earUer, 
ACP-ASIM  opposes  disclosure  of  PHI  without  patient  authorization  except  in  lim- 
ited circumstances). 

We  support  the  provisions  in  this  section.  Physicians  must  release  information  to 
the  patient  or  a  third  party  at  the  request  of  the  patient.  (ACP-ASIM  Ethics  Man- 
ual) Patient-initiated  authorizations  should  be  specific  enough  in  terms  of  the  infor- 
mation to  be  disclosed  and  to  whom  the  information  is  to  be  disclosed  to  enable  the 
physician  to  comply  with  the  individual's  request.  Specific  authorization  is  much 
better  than  the  current  practice  of  using  broad  disclosure  forms.  ACP-ASBVI  sup- 
ports requiring  an  expiration  date  as  well  as  allowing  authorization  to  be 
revoked  by  a  patient  unless  action  has  been  taken  in  reliance  on  the  au- 
thorization. With  respect  to  authorizations  initiated  by  covered  entities,  we  sup- 
port the  requirement  that  the  authorization  form  should  identify  the  purposes  for 
which  the  information  is  sought  as  well  as  the  proposed  uses  and  disclosures  of  that 
information.  Patients  need  to  be  able  to  make  informed  decisions.  Finally,  we  sup- 
port the  provision  stating  that  treatment  and  payment  should  not  be  conditioned  on 
a  patient's  authorization. 

Public  Health  Activities 

ACP-ASIM  supports  the  provisions  that  would  permit  covered  entities  to  disclose 
PHI  without  individual  authorization  to  pubUc  health  authorities  can:ying  out  pub- 
lic health  activities  authorized  by  law,  to  non-governmental  entities  authorized  by 
law  to  carry  out  pubHc  health  activities,  and  to  persons  who  may  be  at  risk  of  con- 
tacting or  spreading  a  disease.  ConfidentiaUty  may  be  overridden  to  protect  the  pub- 
he  health  or  individuals  such  as  sexual  partners  at  risk,  or  when  the  law  requires 
it  (e.g.,  mandatory  pubhc  health  reporting).  However,  before  breaching  confidential- 
ity, physicians  should  make  every  effort  to  discuss  the  issue  with  the  patient.  (ACP- 
ASIM  Ethics  Manual). 

Health  Oversight 

ACP-ASIM  supports  allowing  disclosiu-e  or  use  of  PHI  without  individual  author- 
ization for  health  oversight  activities.  However,  individual  identifiers  should  be 
coded  or  encrypted  whenever  practicable. 

Judicial  and  Administrative  Proceedings 

ACP-ASIM  supports  permitting  covered  entities  to  disclose  PHI  in  a  judicial  or 
administrative  proceeding  if  the  request  for  such  PHI  is  made  through  or  pursuant 
to  an  order  by  a  court  or  administrative  tribimal.  A  court  order  would  not  be  re- 
quired if  the  PHI  being  requested  relates  to  a  party  to  the  proceeding  whose  health 
condition  is  at  issue,  and  where  the  disclosure  is  made  pursuant  to  a  discovery  order 
or  is  otherwise  authorized  by  law.  In  the  latter  instance,  however,  we  are  concerned 
that  the  burden  and  possible  hability  is  on  physicians  to  determine  whether  the  re- 
quest relates  to  the  PHI  of  a  htigant  whose  health  is  at  issue.  Physicians  and  their 
staff  are  not  best  suited  for  making  such  determinations. 

Law  enforcement 

The  proposed  rule  would  permit  covered  entities  to  disclose  PHI  without  individ- 
ual authorization  to  a  law  enforcement  official  conducting  a  law  enforcement  inquiry 
authorized  by  law  if  the  request  for  PHI  is  made  pursuant  to  a  judicial  or  adminis- 
trative process.  We  think  that  these  provisions  are  too  broad.  Access  by  law  enforce- 
ment officials  to  individual  health  records  constitutes  an  inherent  privacy  violation. 
Health  information  is  collected  to  provide  quality  care  to  patients  and  to  help  society 
through  use  of  data  in  pubhc  health  research.  This  information  is  not  intended  for 
law  enforcement  because  of  the  potential  for  abuse.  Access  by  law  enforcement 
agents  should  be  restricted  to  searches  that  are  not  open-ended  and  for  which  there 
is  a  just  cause.  Release  of  confidential  medical  records  to  law  enforcement 
officials  should  be  permitted  only  when  sustained  by  either  subpoena  or 
court  order,  except  in  limited  emergency  circumstances.  Broad-based  ac- 
cess is  not  an  acceptable  option.  Law  enforcement  should  be  required  to 
go  through  an  independent  review  or  neutral  magistrate.  Administrative  sub- 
poenas may  be  issued  based  on  an  individual  law  enforcement  request,  sometimes 
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without  any  higher  review.  HHS  should  require  that  law  enforcement  officials 
obtain  a  judicial  order 

Research 

It  is  critical  that  the  provisions  dealing  with  research  recognize  the  precarious 
balance  between  protecting  patient  privacy  and  expanding  on  our  knowledge  of 
health  and  disease.  Rules  need  to  be  structured  so  that  they  will  not  unduly  burden 
health  researchers  in  their  quest  to  further  public  health  and  other  vital  medical 
research. 

We  generally  support  the  way  the  proposed  rule  deals  with  research  and  the  pri- 
vacy of  patient  information.  The  proposal  would  permit  covered  entities  to  use  and 
disclose  PHI  for  research  without  individual  authorization,  provided  that  the  cov- 
ered entity  receives  documentation  that  the  research  protocol  has  been  reviewed  by 
an  institutional  review  board  (IRB)  or  equivalent  body,  and  that  the  board  found 
that  the  research  protocol  meets  specified  criteria  designed  to  protect  the  subject. 
Absent  such  documentation,  the  subject's  PHI  could  be  disclosed  for  research  only 
with  the  individual's  authorization. 

IRBs  review  research  requests  to  ensure  adherence  to  standards  of  patient  protec- 
tion and  treatment  in  medical  research.  The  boards  are  established  to  ensure  that 
patients  have  been  ftdly  informed  and  that  they  have  consented  to  their  participa- 
tion in  cHnical  research.  Any  research  using  patient  information — whether  the  infor- 
mation is  identified  or  not,  whether  consent  is  obtained  or  waived — should  be  ap- 
proved by  an  IRB.  IRBs  are  an  efficient  and  effective  way  to  protect  the  rights  and 
privacy  of  patients  who  consent  to  sharing  their  health  information  for  the  benefit 
of  medical  research.  The  conduct  of  research  and  the  protection  of  patient  confiden- 
tiality also  must  be  in  compliance  with  professional  ethical  guidelines  and  codes  of 
conduct. 

De-identified  data  should  be  used  in  medical  research  whenever  possible, 
unless  the  nature  of  the  research  necessitates  identification  because  coded 
data  would  be  impracticable.  All  medical  research  studies  that  use  poten- 
tially individually  identifiable  information  must  contain  measures  to  pro- 
tect the  confidentiality  of  individual  patient  records  and  should  be  exam- 
ined and  approved  in  advance  by  an  IRB  or  similar  ethics  review  board.IRB 
functions  include  carefully  reviewing  the  type  of  patient  consent  needed  within  the 
context  of  each  study.  Additional  protection  for  subjects  should  be  required  if  the 
information  is  identified  and  the  waiver  of  consent  in  these  instances  should  be  hm- 
ited. 

The  use  of  data  sets  for  secondary  research  studies  should  be  allowed  for 
statistical  analyses  and  public  health,  but  the  records  should  remain  en- 
coded whenever  possible.  Patients,  however,  should  be  notified  when  infor- 
mation is  to  be  used  for  purposes  other  than  originally  agreed  on,  and  they 
should  have  the  option  to  deny  consent.  These  other  purposes  include  billing, 
organizational  research  and  quality  improvement  programs.  Unfortimately,  there  is 
no  clear  Une  to  differentiate  between  a  routine  use  and  a  research  use.  Often,  pri- 
mary and  secondary  data  uses  overlap,  and  their  definitions  are  dependent  on  the 
context  within  the  individual  studies.  Uses  of  "de-linked"  information  require  review 
by  an  IRB  or  other  similar  panel.  While  we  recognize  the  limited  authority  of  HHS 
over  researchers  who  are  not  covered  entities,  the  ACP-ASIM  believes  that  the 
burden  for  information  requests  should  be  borne  by  those  requesting  ac- 
cess to  the  information;  we  realize  the  need  for  stringent  review  in  deter- 
mining who  has  access  to  de-identified  information. 

Notice  of  Information  Practices 

We  generally  support  the  provisions  in  this  section  that  would  require  health 
plans  and  providers  to  give  notice  of  their  confidentiahty  practices  and  procedures 
to  patients.  Such  notice  would  be  intended  to  inform  patients  about  what  is  done 
with  their  PHI  and  about  any  rights  they  may  have  with  respect  to  that  inforrna- 
tion.  Notice  is  an  essential  component  of  giving  individuals  the  ability  to  make  in- 
formed choices  about  their  medical  treatment.  We  support  a  flexible  approach 
in  allowing  each  provider  to  create  a  notice  that  reflects  its  own  unique  in- 
formation practices. 

We  do  have  concerns,  however,  about  the  administrative  burdens  and  costs  of 
such  requirements,  particularly  for  small  practices.  Small  businesses  are  required 
to  provide  a  notice  of  information  practices  on  the  patient's  date  of  first  service  after 
the  effective  date  of  the  rule.  Determining  the  "first  service"  would  place  an  undue 
administrative  burden  on  many  small  practices.  On  a  daily  basis,  staff  would  have 
to  manually  review  each  chart,  or,  in  many  cases,  access  a  computer  system  to  de- 
termine whether  the  patient  has  been  seen  since  implementation  of  the  rule.  Inter- 
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nal  medicine  physicians  average .  4,000-5,000  patient  charts;  approximately  2,200 
charts  are  considered  to  be  "active."  ("active"  should  be  defined  as  those  patients 
who  have  been  seen  in  the  last  two  yegirs)  The  initial  cost  to  produce,  copy  and  mail 
notices  could  easily  exceed  the  estimated  $375  first  year  cost  per  provider  office.  As- 
siuning  50  cents  per  authorization,  the  total  cost  could  easily  reach  $1100  per  pro- 
vider in  medical  offices.  Moreover,  the  cost  attributed  to  tracking  individual  patient 
receipt  of  the  notice  would  be  extensive.  These  administrative  costs  would  be  in- 
curred again  whenever  a  notice  is  updated.  Physicians  who  mail  notices  to  ac- 
tive patients,  prominently  display  the  notice  and  provide  the  notice  to  all 
new  patients  should  be  relieved  of  any  additional  notification  require- 
ments. 

Requiring  signed  acknowledgment  of  the  notice,  which  in  theory  sounds  like  a 
good  practice,  in  reality  will  omy  increase  administrative  burdens  and  costs.  We  also 
suggest  a  clarification  to  the  provisions.  The  proposal  does  not  clearly  define  the 
scope  of  initial  notifications  required.  Will  notification  be  required  if  the  patient's 
last  treatment  date  was  prior  to  the  rule's  effective  date? 

Access  for  Inspection  or  Copying 

Patients  have  a  legal  and  ethical  right  to  review  information  in  their  own  medical 
records.  In  rare  and  limited  circumstances,  health  information  may  be  withheld 
fi'om  a  patient  if  there  is  significant  hkelihood  of  a  substantial  adverse  effect  on  the 
physical,  mental  or  emotional  health  of  the  patient  or  substantial  harm  to  a  third 
party.  The  onus  is  on  the  provider  to  justify  the  denial  of  access. 

The  proposed  rule  would  allow,  but  not  require,  a  researcher/provider  to  deny  a 
request  for  inspection  and  copying  of  the  chnical  trial  record  if  the  trial  is  still  in 
progress,  and  the  subject-patient  had  agreed  to  the  denial  of  access  in  conjunction 
with  the  subject's  consent  to  participate  in  the  trial.  The  IRB  or  privacy  board  would 
determine  whether  such  waiver  of  access  to  information  is  appropriate,  as  part  of 
its  review  of  the  research  protocol.  In  the  rare  instances  in  which  individuals  are 
enrolled  in  trials  without  consent  (such  as  those  permitted  under  FDA  regulations), 
the  covered  entity  could  deny  access  to  information  during  the  course  of  the  trial 
even  without  advance  subject  consent.  However,  access  during  the  trial  would  be  ap- 
propriate if  a  participant  has  a  severe  adverse  reaction  and  disclosure  of  information 
during  the  clinical  trial  would  give  the  participant  adequate  information  for  proper 
treatment  decisions.  In  all  cases,  the  subject  would  have  the  right  to  see  the  record 
after  the  trial  is  completed.  We  agree  with  these  provisions. 

Access  to  current  records  within  thirty  days  is  reasonable  for  active  patients.  Med- 
ical records  of  patients  last  seen  more  than  two  years  previously,  however,  may 
have  been  moved  to  off-site  storage,  which  necessitates  a  longer  recovery  period 
(perhaps  60  days),  and  incurs  additional  cost.  We  suggest  that  a  structured  ex- 
tension procedure  should  be  included  in  the  final  rule.  We  do  not  support 
requiring  an  acknowledgment  procedure. 

Accounting  of  Disclosures 

While  we  support  in  principle  the  requirement  for  an  accounting  of  disclosures, 
we  have  several  concerns  about  the  proposal  in  its  current  form.  First,  covered  enti- 
ties would  be  required  to  provide  an  accounting  of  all  instances  where  PHI  is  dis- 
closed for  purposes  other  than  treatment,  payment  and  health  care  operations.  How- 
ever, as  currently  drafted,  PHI  may  be  disclosed  without  individual  authorization 
for  those  purposes.  Thus,  patients  could  learn  who  has  had  access  to  their  PHI  only 
when  such  information  is  disclosed  with  their  consent,  but  they  do  not  have  such 
a  right  when  consent  has  not  been  given.  It  would  seem  that  it  would  be  more  im- 
portant to  provide  an  accounting  for  disclosures  where  an  individual  has  not  given 
prior  authorization. 

Second,  we  are  concerned  about  the  administrative  burden  and  cost  of  complying 
with  the  accounting  requirements  We  agree  that  accounting  should  not  be  required 
for  payment,  treatment  and  most  health  care  operations,  but,  as  discussed  earUer, 
we  recommend  that  individual  authorization  should  be  required  prior  to  the  disclo- 
sure or  use  of  PHI  for  such  purposes. 

Finally,  we  suggest  amending  section  164.515(c)(l)(v)  to  clarify  that  "cop- 
ies of  all  requests  for  disclosure**  refers  only  to  individual-initiated  re- 
quests. 

Amendment  or  Correction 

We  support  the  right  of  patients  to  review  the  information  in  their  medical 
records  and  to  propose  corrections.  At  the  same  time,  however,  it  is  critical  to  keep 
in  mind  that  medical  records  provide  working  documentation  for  physicians  and  are 
often  referred  to  in  support  of  actions  taken  on  the  patient's  behalf.  The  integrity 
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of  the  medical  record  is  critical.  Therefore,  medical  histories  should  not  be  re-writ- 
ten or  deleted.  Physicians  are  liable  to  health  plans  for  providing  supporting  docu- 
mentation for  £dl  information  submitted  and  requests  for  pajnnent.  If  this  iiSbrma- 
tion  is  later  determined  to  be  inaccurate,  corrections  can  be  made  and  submitted 
as  appropriate.  The  original  documentation,  however,  is  still  necessary. 

Training 

Many  health  care  providers'  employee  training  programs  or  employee  handbooks 
currently  incorporate  confidentiaHty  policies,  so  the  additional  burden  imposed  by 
the  initial  training  requirement  would  be  neghgible.  Re-certification,  however,  would 
impose  a  new  administrative  burden  and  is  of  questionable  value  when  privacy  poli- 
cies remain  unchanged.  Re-certification  should  he  required  only  when  a  provider's 
privacy  policy  significantly  changes. 

Safeguards 

The  proposal  would  require  that  a  covered  entity  have  appropriate  technical  and 
physical  safeguards  to  protect  the  privacy  of  PHI.  Medical  records  intermingle  elec- 
tronically transmitted  data,  non-electronically  transmitted  data,  and  data  that  is 
referenced  in  both  formats.  Therefore,  providers  most  likely  will  have  to  presume 
that  all  records  must  be  considered  PHI  and  treated  as  such.  Many  small  practices 
keep  records  in  central  areas  easily  accessible  to  all  staff;  such  areas  are  not  easily 
adaptable  to  "locked  storage"  areas.  Replacement  of  an  open  medical  chart  storage 
cabinet  with  a  lockable  unit  costs  approximately  $800  and  provides  little  benefit.  A 
typical  physician  has  between  three  and  ten  units.  A  small  business  should  be 
required  instead  to  provide  physical  barriers  (e.g.,  walls  or  counters)  to 
limit  the  access  of  non-authorized  personnel  to  record  storage  areas. 

The  proposal  also  would  require  a  covered  entity  to  verify  the  identity  and/or  au- 
thority of  persons  requesting  PHI.  This  places  an  unusual  burden  on  health  care 
providers  to  verify  requests  that  are  normally  received  verbally  or  via  fax.  Moreover, 
ascertaining  whether  a  requestor  has  the  appropriate  legal  authority  is  beyond  the 
scope  of  the  training  or  expertise  of  most  employees  in  a  physician's  office.  Health 
care  providers  must  be  able  to  reasonably  rely  on  the  authority  of  the  re- 
questor. 

Sanctions 

We  support  the  flexibility  in  the  proposal  that  would  allow  covered  entities  to  de- 
velop the  sanctions  policies  appropriate  to  their  businesses  and  operations.  The 
ACP-ASIM  supports  holding  users  of  electronic  medical  data  accountable  for  pro- 
tecting patient  privacy.  We  are  concerned,  however,  that  a  provider  would  be  held 
liable  for  violations  by  a  business  partner  and  its  subcontractors.  As  discussed  ear- 
lier, we  think  that  there  are  fundamental  fairness  issues  in  holding  providers  ac- 
countable for  the  actions  of  another  entity  that  they  do  not  control. 

Small  Business  Impact 

The  NPRM  does  not  propose  a  specific  definition  for  small  businesses,  but  incor- 
porates the  U.S.  Small  Business  Administration's  (SBA)  baseline  revenue  definition 
for  small  businesses,  which  is  $5  million  in  annual  revenue.  We  do  not  believe  that 
this  proposed  guideline,  as  currently  defined,  will  include  the  projected  90%  of 
health  care  providers.  The  Medical  Group  Management  Association's  Cost  Survey 
Report  for  1998  indicated  that  only  52.01%  of  group  practices  would  not  exceed  the 
$5M  revenue  threshold.  In  addition,  the  SBA  has  proposed  adjusting  the  revenue 
requirement  for  Doctors  of  Medicine  (SIC  8011),  as  well  as  certain  other  health  care- 
related  providers,  to  $7.5  million.  SBA  has  proposed  this  increase  to  reflect  the  dis- 
advantage that  health  care  providers  face  in  a  highly  competitive  market,  even 
though  their  revenue  has  increased.  We  would  encourage  HHS  to  reflect  this 
amended  revenue  standard  in  the  final  rule. 

Additionally,  we  encourage  HHS  to  consider  establishing  an  alternative  test  for 
small  businesses,  based  upon  number  of  employees.  Health  care  providers  in  par- 
ticular areas  of  medicine,  such  as  cardiology  or  oncology,  would  exceed  the  revenue 
requirements  in  a  practice  of  four  to  five  physicians.  To  achieve  parity  across  spe- 
cialties with  widely  divergent  average  revenues,  we  encourage  HHS  to  consider  ex- 
tending the  definition  of  small  business  to  any  health  care  provider  employing  less 
than  twenty  employees.  This  definition  is  supported  by  the  report,  "Employer 
Firms,  Employment,  and  Estimated  Receipts  by  Firm  Size  and  Industry, 
1996,"  issued  by  the  SBA's  Office  of  Advocacy,  which  indicates  that  92%  of 
Doctors  of  Medicine  worked  in  firms  with  fewer  than  20  employees. 
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Conclusion 

The  proposed  rule  is  an  important  first  step  in  ensuring  federal  protections  for 
the  privacy  of  medical  records.  The  ACP-ASIM  appreciates  your  consideration  of 
our  comments  and  looks  forward  to  working  with  you  as  the  rulemaking  process 
continues.  If  you  have  any  questions,  please  do  not  hesitate  to  contact  Debra  Cohn, 
Legislative  Counsel  (202/261-4541)  or  Jack  Ginsburg,  Director  of  Policy  Analysis 
and  Research  (202/261-4542). 
Sincerely, 

Whitney  W.  Addington,  M.D.,  FACP 

President 


American  College  of  Surgeons 
Washington,  DC  20007 

February  16,  2000 

The  Honorable  Bill  Thomas 
Chair,  Subcommittee  on  Health 
Committee  on  Ways  and  Means 
U.S.  House  of  Representatives 
1136  Longworth  House  of  Building 
Washington,  DC  20515 

Dear  Chairman  Thomas: 

As  you  and  members  of  your  Subcommittee  prepare  to  examine  the  extraor- 
dinarily complex  issue  of  medical  records  confidentiality,  the  enclosed  copy  of  the 
College's  response  to  the  Department  of  Health  and  Human  Services  (HHS)  proposal 
on  this  issue  may  be  useful. 

In  its  comments,  the  College  recognizes  the  enormously  difficult  task  the  HHS 
Secretary  faced  when  drafting  this  proposed  rule,  and  we  commended  the  Depart- 
ment for  its  effort  to  generate  regulations  that  are  consistent  with  sensible  health 
information  confidentiality  principles.  However,  we  believe  strongly  that  the  pro- 
posed rule  overreaches  its  mandate  in  some  areas,  fails  to  take  into  account  impor- 
tant private-sector  activities  that  contribute  to  high-quality  patient  care,  and  im- 
poses unreasonable  burdens  on  physicians  and  their  staff.  Therefore,  the  College 
still  believes  that  strong  federal  legislation  is  needed  to  provide  a  more  tightly 
drawn  blueprint  for  federal  regulations. 

Some  of  our  key  concerns  with  the  proposed  rule,  described  in  more  detail  in  the 
enclosed  text,  can  be  summarized  as  follows: 

•  The  list  of  covered  entities  included  in  the  proposal  does  not  adequately  account 
for  the  wide  range  of  those  that  contribute  to  the  modem,  integrated  health  care 
system.  As  an  example,  it  is  impossible  to  determine  how  the  College's  own  central- 
ized cancer  registry,  the  National  Cancer  Data  Base,  would  be  treated  and  what  re- 
quirements it  would  need  to  meet. 

•  Improvements  can  be  made  in  the  definitions  that  were  developed  for  "treat- 
ment," "payment,"  and  "health  care  operations."  In  particular,  we  question  how 
much  patient  identifiable  information  is  necessary  for  fi'aud  and  abuse  detection  and 
compliance  programs,  or  for  general  evaluation  of  provider  performance. 

•  The  mandate  that  covered  entities  adhere  to  a  "minimally  necessary"  require- 
ment when  disclosing  protected  health  information  should  be  modified  to  provide 
more  explicit  guidance.  Further,  we  suggest  that  entities  requesting  protected  infor- 
mation should  bear  greater  responsibility  for  determining  the  minimum  amount 
necessary  to  complete  their  efforts. 

•  The  College  vigorously  objects  to  provisions  that  would  essentially  require  cov- 
ered entities  to  be  knowledgeable  about  and  adhere  to  the  information  policies 
adopted  by  the  whole  assortment  of  businesses  with  which  they  are  partners.  We 
believe  that  HHS  has  greatly  overstepped  its  statutory  authority  in  this  provision, 
and  recommend  that  the  standards  be  modified  to  require  only  that  physicians  and 
other  covered  entities  make  reasonable  efforts  to  enforce  their  contracts;  they  should 
not  be  held  responsible  for  their  business  partners'  transgressions. 

•  The  list  of  data  elements  that  would  need  to  be  stripped  fi:om  the  medical 
record  to  be  considered  "de-identified"  is  far  too  sweeping  and,  if  implemented,  will 
render  the  record  unusable  for  many  types  of  medical  research  and  disease  surveil- 
lance registries. 

•  The  definition  of  health  oversight  agencies  sdlowed  access  to  patient  information 
appears  to  include  only  those  that  are  government-based.  Other  key,  private  sector 
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organizations,  such  as  the  Joint  Commission  on  Accreditation  of  Healthcare  Organi- 
zations, are  not  granted  equal  privileges.  Indeed,  the  College  conducts  programs 
that  rely  on  patient  data  to  assess  and  approve  hospital-based  cancer,  trauma,  and 
bum  programs — these  programs  simply  could  not  operate  under  the  restrictions 
being  proposed  by  HHS. 

•  To  increase  the  odds  of  patients  understanding  of  the  notices  they  receive  about 
a  provider's  information  practices,  HHS  should  reconsider  its  decision  to  abstain 
from  developing  a  uniform  format.  The  more  patients  see  similar  documents,  the 
less  likely  they  are  to  become  disoriented  when  examining  a  new  notice,  particularly 
when  presented  with  multiple  notices  for  an  episode  of  care  that  involves  more  than 
one  provider. 

Finally,  as  we  note  in  our  comments,  many  of  the  problems  encoimtered  with  cur- 
rent patient  information  management  practices  result  from  the  patchwork  of  state 
laws  that  compUcate  our  increasingly  interstate  health  care  delivery  and  financing 
systems.  We  urge  Congress  to  enact  legislation  preempting  all  state  laws  and  estab- 
Hsh  a  single,  national  standard  for  the  care  and  management  of  patient  medical 
records. 

The  College  welcomes  the  Subcommittee's  interest  in  addressing  this  remarkably 
compUcated  and  important  issue.  We  hope  that  you  will  call  on  us  to  assist  in  your 
efforts  to  develop  reasonable,  workable  legislation  to  resolve  the  many  difficult 
issues  involved,  including  those  problems  that  arise  from  the  Secretar/s  limited 
regulatory  authority  in  this  area.  Please  do  not  hesitate  to  contact  Christian 
Shalgian  in  our  Washington  Office,  at  (202)  337-2701,  if  we  can  be  helpful. 
Sincerely, 

Thomas  R.  Russell,  MD,  FACS 

Executive  Director 

[An  attachment  is  being  retained  in  the  Committee  files.] 


Statement  of  the  American  Council  of  Life  Insurers 

/.  INTRODUCTION 

The  American  Council  of  Life  Insurers  (ACLI)  is  a  national  trade  association 
whose  435  member  companies  represent  73  percent  of  the  life  insurance  and  86.9 
percent  of  the  long  term  care  insurance  in  force  in  the  United  States.  The  ACLI  also 
represents  71  percent  of  the  companies  that  provide  disability  income  insurance. 
The  ACLI  is  please  to  submit  a  summary  of  its  comments  on  the  proposed  Stand- 
ards for  Privacy  of  Individually  Identifiable  Health  Information,  45  CFR  Parts  160 
through  164,  (the  proposed  rule)  promulgated  by  the  Department  of  Health  and 
Human  Services  (Department).  The  entire  text  of  the  ACLI's  comments  can  be  found 
on  our  pubhc  web  site  at  ACLI.com. 

The  ACLI  supports  the  goal  of  the  Department  of  Health  and  Human  Services 
(Department)  to  protect  the  privacy  of  individually  identifiable  health  information 
and  supports  implementation  of  the  privacy  requirements  of  the  Administrative 
Simplification  subtitle  of  the  Health  Insurance  PortabiHty  and  Accountability  Act  of 
1996  (P.L.  104  - 191)  (HIPAA).  Life,  disability  income,  and  long  term  care  insurers 
understand  their  responsibility  to  protect  individually  identifiable  health  informa- 
tion. ACLI  member  companies  are  strongly  committed  to  the  principle  that  individ- 
uals have  a  legitimate  interest  in  the  proper  collection  and  handling  of  their  medical 
information  and  that  insurers  have  an  obligation  to  assure  individuals  of  the  con- 
fidentiahty  of  that  information. 

Two  years  ago,  the  ACLI  Board  of  Directors  adopted  the  "Confidentiality  of  Medi- 
cal Information  Principles  of  Support."  The  ACLI  has  just  amended  these  Principles 
to  strengthen  them  even  further  to  provide  for  support  for  prohibitions  on  the  shar- 
ing of  medical  information  for  marketing  and  for  determining  eligibility  for  credit. 
A  copy  of  the  Principles  is  attached  to  this  statement.  Life,  disabihty  income,  and 
long  term  care  insurers  have  a  long  history  of  handling  individually  identifiable 
health  information  in  a  confidential  and  appropriate  manner  and  are  proud  of  their 
record  as  responsible  custodians  of  that  information. 

The  ACLI  strongly  supports  the  Department's  fundamental  goal  of  protecting  indi- 
vidually identifiable  health  information.  We  believe  that  the  Department  can  pursue 
this  goal  in  a  manner  consistent  with  the  public  interest  in  maintaining  hfe,  disabil- 
ity income,  and  long  term  care  insurance  markets  which  meet  the  private  insurance 
needs  of  American  consumers.  By  their  very  nature,  the  businesses  of  life,  disability 
income,  and  long  term  care  insurance  involve  personal  and  confidential  relation- 
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ships.  However,  insurers  seUing  these  Hnes  of  coverage  must  be  able  to  obtain  and 
use  their  customers'  individually  identifiable  health  information  to  perform  legiti- 
mate insurance  business  functions,  essential  to  insurers'  ability  to  serve  and  fulfill 
their  contractual  obligations  to  their  existing  and  prospective  customers.  We  have 
analyzed  the  proposed  rule  with  a  view  to  balancing  the  goal  of  protecting  the  con- 
fidentiality of  individuals'  individually  identifiable  health  information  with  life,  dis- 
abihty  income,  and  long  term  care  insurers'  need  to  obtain  and  use  that  information 
in  order  to  issue,  service,  and  administer  insurance  policies  sought  by  individuals. 

We  were  pleased  that  Secretary  Donna  Shalala,  as  the  Keynote  Speaker  at  the 
ACLI's  Annual  Meeting  in  November  of  1997,  acknowledged  the  importance  of  ac- 
cess to  individually  identifiable  health  information  to  the  abihty  of  insurance  compa- 
nies to  provide  the  essential  protection  that  only  private  insurance  affords.  Sec- 
retary Shalala  stated:  "I  know  that  you  support  confidentiahty  legislation  as  long 
as  it  doesn't  jeopardize  your  abiUty  to  underwrite  in  a  fair  and  fiscally  prudent  man- 
ner and  to  evaluate  claims."  This  statement  by  the  Secretary  is  a  trenchant  declara- 
tion of  the  fundamental  point  of  this  letter.  I 

It  is  important  that  the  Department  understand  and  consider  all  of  the  possible  ' 
results  of  the  proposed  rule  on  covered  entities  and  other  entities  that  will  be  im- 
pacted by  it.  We  are  concerned  that  the  proposed  rule  fails  to  take  into  account  its 
impact  on  entities  that  are  not  covered  entities,  but  which  would  be  significantly  j 
impacted  by  the  rule,  particularly  life  and  disabiUty  income  insurers.  We  are  also 
concerned  that  the  proposed  rule  does  not  adequately  take  into  accoimt  its  impact  ' 
on  insurers  which  sell  long  term  care  insurance  which  are  currently  directly  subject 
to  the  proposed  rule. 

Appropriately,  insurers  selling  life  insurance  are  not  covered  entities  subject  to  di-  [ 
rect  regulation  under  the  proposed  rule.  However,  hfe  insurers  must  obtain  pro-  I' 
tected  health  information,  essential  to  underwriting  and  claims  evaluation,  from 
doctors,  hospitals,  and  others  who  may  only  disclose  protected  health  information 
as  permitted  under  the  rule. 

While  it  appears  that  disabiHty  income  insurance  pohcies  are  not  intended  to  be 
health  plans  and  that  insurers  which  sell  disability  income  insurance  policies  are 
not  intended  to  be  covered  entities,  this  is  not  entirely  clear.  We  beheve  that  disabil- 
ity income  insurance  policies  are  not  health  plans,  that  disabihty  income  insurers  | 
are  not  covered  entities,  and  that  the  proposed  rule  should  make  this  clear.  Also, 
as  with  life  insurers,  we  are  concerned  with  the  proposed  rule's  impact  on  disabihty 
income  insurers'  abihty  to  obtain  from  covered  entities  health  information  essential  | 
to  underwriting  and  claims  evaluation  activities.  j 

We  are  concerned  by  the  proposed  rule's  inconsistency  with  HIPAA  by  virtue  of  ' 
its  inclusion  of  a  number  of  HIPAA  "excepted  benefits"  within  the  definition  of 
health  plan,  making  insurers  which  sell  these  hnes  of  coverage  "covered  entities." 
This  appears  to  be  contrary  to  Congressional  intent  to  have  the  rule  address  com- 
prehensive medical  coverages  only.  It  also  appears  contrary  to  the  Department's  in- 
tent as  expressed  in  the  preamble  section  "Definitions,"  in  connection  with  the  defi- 
nition of  health  plan. 

We  are  particularly  concerned  by  the  proposed  rule's  characterization  of  long  term 
care  insurance  pohcies  as  health  plans,  making  long  term  care  insurers  covered  en- 
tities. For  the  reasons  explained  below,  we  strongly  beheve  that  this  is  inappropri- 
ate. Long  term  care  insurance  pohcies  should  be  deleted  from  the  Ust  of  coverages 
defined  as  health  plans.  If  insurers  which  sell  long  term  care  insurance  continue  to 
be  covered  entities  in  the  final  rule,  we  would  be  very  much  concerned  by  the  pro- 
posed rule's  impact  on  their  activities,  as  explained  below. 

There  is  also  troublesome  ambiguity  in  the  proposed  rule  with  respect  to  the  obli- 
gations of  an  entity  which  is  a  covered  entity  for  purposes  of  some  of  its  activities 
and  not  a  covered  entity  for  purposes  of  other  activities.  A  hfe  insurer  is  not  subject 
to  the  proposed  rule  as  a  covered  entity.  As  the  rule  is  currently  drafted,  a  long 
term  care  insurer  would  be  a  covered  entity.  In  fact,  many  life  insurers  are  also  long 
term  care  insurers.  It  does  not  appear  to  be  the  intent  of  the  proposed  rule  to  make 
the  insurer  a  covered  entity  with  respect  to  its  use  of  protected  health  information 
in  connection  with  life  insurance,  nor  is  there  statutory  authority  to  extend  the  rule 
in  this  manner.  However,  neither  the  rule  nor  the  explanation  in  the  preamble  i 
make  this  clear.  The  rule  and  the  preamble  should  make  clear  that  an  entity  in- 
volved in  several  hnes  of  business,  one  of  which  is  subject  to  the  rule,  will  not  be 
subject  to  the  rule  with  regard  to  its  other  businesses.  ' 

//.  INSURANCE  AND  THE  ROLE  OF  INDIVIDUALLY  IDENTIFIABLE  HEALTH 
INFORMATION 

The  system  of  classifying  proposed  insureds  by  level  of  risk  is  called  risk  classi- 
fication. It  enables  insurers  to  group  together  people  with  similar  characteristics 
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and  to  calculate  a  premium  based  on  that  group's  level  of  risk.  Those  with  similar 
risk  pay  the  same  premiums.  The  process  of  risk  classification  provides  the  fun- 
damental framework  for  the  current  private  insurance  system  in  the  United  States. 
It  is  essential  to  insurers'  ability  to  determine  premiums  which  are:  (1)  adequate 
to  pay  their  customers'  future  claims;  and  (2)  fair  relative  to  the  risk  posed  by  pro- 
posed insureds. 

The  price  of  life,  disability  income  and  long  term  care  insurance  is  generally  based 
on  the  proposed  insured's  gender,  age,  present  and  past  state  of  health,  possibly  his 
or  her  job  or  hobby,  and  the  type  and  amoimt  of  coverage  sought.  Much  of  this  infor- 
mation is  provided  directly  by  the  proposed  insiu-ed. 

Depending  on  the  proposed  insured's  age,  medical  history,  and  the  amount  of  in- 
surance applied  for,  the  insurer  may  also  need  information  from  the  individual's 
medical  records.  In  this  event,  when  the  insiu-er's  sales  representative  takes  the 
consumer's  application  for  insurance,  he  will  request  that  the  applicant  sign  an  au- 
thorization, provided  by  the  insurer,  authorizing  the  insurance  company  to:  (1)  ob- 
tain his  health  information  from  his  doctor  or  fi-om  a  hospital  where  he  has  been 
treated;  and  (2)  use  that  information  to,  among  other  things,  underwrite  that  indi- 
vidual's application  for  coverage.  Based  on  this  information,  the  insurer  groups  in- 
sureds into  pools  so  that  they  can  share  the  financial  risk  presented  by  dying  pre- 
maturely, becoming  disabled,  or  needing  long  term  care. 

If  a  company  is  unable  to  gather  accurate  information  or  have  access  to  informa- 
tion already  known  to  the  proposed  insured,  an  individual  with  a  serious  health  con- 
dition, with  a  greater  than  average  risk,  could  knowingly  purchase  a  policy  for 
standard  premium  rates.  This  is  known  as  "adverse  selection."  While  a  few  cases 
of  adverse  selection  might  not  have  a  significant  negative  impact  on  the  life,  disabil- 
ity income,  or  long  term  care  insurance  markets,  multiple  cases  industry-wide  would 
likely  have  such  an  effect.  This  would  be  particularly  true  if  individuals  were  to  be 
legally  permitted  to  withhold  or  restrict  access  to  medical  information  significant  to 
their  likelihood  of  dying  prematurely,  becoming  disabled  or  requiring  long  term  care. 
The  major  negative  consequence  of  adverse  selection  would  be  to  <irive  up  costs  for 
future  customers  which  could  price  many  American  families  out  of  the  life,  disability 
income,  and  long  term  care  insurance  markets. 

Most  life  and  long  term  care  insurance  and  much  disability  income  insurance  is 
individually  underwritten.  As  part  of  the  underwriting  process,  insurers  selling  Ufe, 
disability  income,  and  long  term  care  insurance  rely  on  an  applicant's  individually 
identifiable  health  information  to  determine  the  risk  that  he  or  she  represents. 
Therefore,  medicEil  information  is  a  key  and  essential  component  in  the  process  of 
risk  classification. 

Once  a  life,  disability  income,  or  long  term  care  insurer  has  an  individual's  health 
information,  the  insurer  controls  and  limits  who  sees  it.  At  the  same  time,  insurers 
must  use  and  disclose  individually  identifiable  health  information  to  perform  legiti- 
mate, core  insurance  business  functions. 

Insurers  that  sell  life,  disability  income,  and  long  term  care  insurance  must  use 
individually  identifiable  health  information  to  perform  essential  functions  associated 
with  an  insurance  contract.  These  basic  functions  include,  in  addition  to  underwrit- 
ing, key  activities  such  as  claims  evaluation  and  policy  administration.  In  addition, 
insurers  must  also  use  individually  identifiable  health  information  to  perform  im- 
portant business  functions  not  necessarily  directly  related  to  a  particular  insurance 
contract,  but  essential  to  the  administration  or  servicing  of  insurance  policies  gen- 
erally, such  as,  for  example,  development  and  maintenance  of  computer  systems. 

Also,  Hfe,  disability  income,  and  long  term  care  insurers  must  disclose  individually 
identifiable  health  information  in  order  to  comply  with  various  regulatory/legal 
mandates  and  in  furtherance  of  certain  public  policy  goals  such  as  the  detection  and 
deterrence  of  fraud.  Activities  in  connection  with  ordinary  proposed  and  con- 
summated business  transactions,  such  as  reinsurance  treaties  and  mergers  and  ac- 
quisitions, also  necessitate  insurers'  use  and  disclosure  of  such  information.  Life, 
disability  income,  and  long  term  care  insurers  must  disclose  individually  identifiable 
health  to:  (1)  state  insurance  departments  in  connection  with  general  regulatory 
oversight  of  insurers  (including  regular  market  conduct  and  financial  examinations 
of  insurers);  (2)  self-regulatory  organizations,  such  as  the  Insurance  Marketplace 
Standards  Association  (IMSA),  concerned  with  insurers'  market  conduct;  and  (3) 
state  insurance  guaranty  funds,  which  seek  to  satisfy  policyholder  claims  in  the 
event  of  impairment  or  insolvency  of  an  insurer  or  to  facilitate  rehabilitations  or  liq- 
uidations. Limitations  on  these  disclosures  would  operate  coimter  to  the  consumer 
protection  piirpose  of  these  disclosure  requirements. 

Life,  disability  income,  and  long  term  care  insurers  need  to  (and,  in  fact,  in  some 
states  are  required  to)  disclose  individually  identifiable  health  information  in  order 
to  protect  against  or  to  prevent  actual  or  potential  fraud.  Such  disclosures  are  made 
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to  law  enforcement  agencies,  state  insurance  departments,  the  Medical  Information 
Bureau  (MIB),  or  outside  attorneys  or  investigators  who  work  for  the  insurer.  Again, 
any  Hmitation  on  an  insurer's  abiUty  to  make  these  disclosures  would  imdermine 
the  public  poUcy  goal  of  reducing  fraud,  the  costs  of  which  are  ultimately  borne  by 
consumers. 

///.  SUMMARY  OFACLI  COMMENTS  ON  THE  PROPOSED  RULE 
A.  Comments  Concerning  Life  and  Disability  Income  Insurers 

The  impact  of  the  proposed  rule  on  insurers  selling  life  insurance  and  on  insurers 
selling  disability  income  insurance  would  be  significgmt  and  adverse.  The  proposed 
rule  generally  encourages  and,  in  many  cases,  requires  limitation  on  disclosure  of 
individually  identifiable  health  information.  As  discussed  above,  such  information  is 
essential  to  the  business  of  insurance.  We  are  concerned  that  in  an  effort  to  protect 
confidentiahty,  the  rule  will  jeopardize  insurers'  ability  to  issue,  administer  and 
service  Hfe  and  disabihty  income  insurance  policies. 

It  appears  that  the  Department  does  not  intend  disabihty  income  insurance  poh- 
cies  to  be  health  plans  under  the  rule.  We  strongly  believe  that  this  is  appropriate. 
However,  the  proposed  rule  is  not  clear  on  this  point.  We  urge  the  Department  to 
amend  the  rule  to  specify  that  disabihty  income  insurance  pohcies  are  not  health 
plans. 

Section  164.508  requires  either  an  authorization  requested  by  the  individual  or 
by  a  covered  entity.  The  authorization  forms  submitted  by  hfe  and  disabihty  income 
insurers  to  covered  entities  on  behalf  of  or  as  authorized  by  apphcants  apparently 
fall  within  the  scope  of  Section  164.508(a),  authorizations  requested  by  individuals. 
Given  the  critical  importance  of  protected  health  information  to  life  and  disabihty 
income  insurers'  abihty  to  serve  their  customers,  we  beheve  that  this  section  re- 
quires clarification.  Section  164.508(a)(1)  should  provide  for  the  release  of  protected 
health  information  requested  by  the  individual  or  authorized  by  the  individual. 

Subject  to  hmited  exceptions,  the  proposed  rule  requires  that  a  covered  entity 
must  make  all  reasonable  efforts  not  to  use  or  disclose  more  than  the  minimum 
amoimt  of  protected  health  information  necessary  to  accomphsh  the  purpose  of  the 
use  or  disclosure.  If  Section  164.508(a)(1)  is  not  amended  to  accommodate  authoriza- 
tions submitted  as  authorized  by  the  individual,  covered  entities — ^third  parties  such 
as  doctors  and  hospitals — ^will  be  charged  with  determining  how  much  protected 
health  information  is  the  "minimum  necessar/'  for  an  insurer  to  underwrite  or  pay 
a  claim.  This  result  would  appear  to  be  contrary  to  the  Department's  intent  as  set 
forth  in  the  preamble.  It  would  also  be  inappropriate  because  it  is  the  insurer,  not 
the  covered  entity,  which  will  bear  the  financial  risk  of  the  insurance  transaction. 

We  are  very  much  concerned  by  the  standard  articxolated  in  Section  164.506(c)(i) 
giving  individuals  the  right  to  enter  into  agreements  with  health  care  provider  cov- 
ered entities  to  restrict  the  use  or  disclosure  of  specified  health  information.  Al- 
though this  subsection  clearly  provides  that  "a  covered  entity  that  is  a  health  care 
provider  must  permit  individuals  to  request  that  uses  or  disclosures  of  protected 
health  information  for  treatment,  payment,  or  health  care  operations  be  restricted" 
(emphasis  added),  the  reference  to  this  standard  in  Section  164.506(c)(2)  does  not 
similarly  make  it  clear  that:  (1)  only  health  care  provider  covered  entities  are  sub- 
ject to  this  standard;  and  (2)  the  right  to  restrict  only  extends  to  use  or  disclosure 
of  protected  health  information  for  treatment,  payment,  or  health  care  operations. 
We  are  gravely  concerned  that  if  Section 164. 506(c)(2)  is  not  clarified,  it  may  be  read 
to  permit  agreements  to  restrict  disclosure  of  information  which  could  cause  mate- 
rial information  to  be  withheld  from  an  insurer  underwriting  an  application  or  eval- 
uating a  claim  under  a  life  or  disabihty  income  insurance  pohcy,  without  the  insurer 
even  knowing  that  information  existed  at  all.  This  could  result  in  serious  adverse 
selection,  jeopardizing  the  current  private  systems  of  life  and  disability  income  in- 
surance. It  would  legalize  actions  which  constitute  fraud  and  material  misrepresen- 
tation imder  current  law. 

We  suggest  more  reasonable  treatment  of  psychotherapy  notes  and  research  infor- 
mation unrelated  to  treatment.  We  believe  that  all  individually  identifiable  health 
information  should  be  treated  confidentially  and  in  the  same  manner.  We  are  con- 
cerned by  discussion  in  the  preamble  that  seems  to  sanction  segregation  of  psycho- 
therapy notes.  We  are  concerned  by  the  definition  of  psychotherapy  notes  as  cur- 
rently proposed  which  may  bar  legitimate  access  to  anything  more  than  "summaries 
of  diagnosis,  functional  status,  etc. 

The  level  of  specificity  required  in  the  authorization  form  and  the  requirement  of 
multiple  authorizations  are  impracticable.  Furthermore,  we  are  concerned  that  giv- 
ing individuals  an  opportunity  to  revoke  their  authorization  for  disclosure  of  pro- 
tected health  information  could  jeopardize  hfe  and  disabihty  income  insurers'  abihty 


103 

to  investigate  material  misrepresentation,  fraud,  and  claims.  We  have  provided  the 
Department  with  specific  recommendations  for  amendments  to  these  sections. 

B.  Comments  Concerning  Long  Term  Care  Insurance 

We  believe  strongly  that  long  term  insurance  policies  are  inappropriately  charac- 
terized as  health  plans,  making  long  term  care  insurers  covered  entities.  We  believe 
that  long  term  care  insurance  policies  should  be  stricken  from  the  list  of  coverages 
defined  as  health  plans.  Whether  or  not  long  term  care  insurance  policies  are  health 
plans,  we  have  the  same  concerns,  as  we  have  with  respect  to  life  and  disability  in- 
come insurers,  about  the  proposed  rule's  impact  on  long  term  care  insurers'  ability 
to  obtain  from  other  covered  entities  protected  health  information  essential  to  un- 
derwrite and  pay  claims. 

We  believe  Section  164.508(a)  should  be  amended  to  clarify  that  authorizations 
may  be  submitted  on  behalf  of  or  authorized  by  an  individual.  If  Section  164.508(a) 
is  not  amended  in  this  manner,  covered  entities  inappropriately  will  be  charged  with 
determining  the  minimum  amount  of  protected  information  necessary  for  long  term 
care  insurers  to  underwrite  applications  for  long  term  care  insurance  coverage  and 
to  pay  claims. 

We  are  particiilarly  concerned  about  the  impact  on  long  term  care  insurers  of  the 
right  to  restrict  use  and  disclosure  of  certain  protected  health  information  granted 
under  Section  164.506(c)(1).  This  provision  could  have  a  devastating  effect  on  long 
term  care  insurers  by  virtue  of  the  fact  that  it  would  permit  an  agreement  to  re- 
strict disclosure  of  information  material  to  "payment"  of  a  long  term  care  insurance 
claim  without  a  long  term  care  insurer  even  knowing  any  information  is  being  with- 
held. Moreover,  the  failure  of  Sections  164.506(c)(2)  and  164.5 12(d)(ii)(B)  to  clarify 
that  the  right  to  restrict  use  and  disclosure  of  protected  health  information  is  only 
applicable  to  treatment,  payment,  and  health  care  operations  could  result  in  inter- 
pretation of  these  subsections  to  permit  agreements  to  withhold  information  mate- 
rial to  the  underwriting  of  long  term  care  insurance  policies.  On  a  widespread  basis, 
this  could  jeopardize  the  process  of  risk  classification  in  relation  to  long  term  care 
insurance. 

The  speciEil  treatment  of  psychotherapy  notes  and  research  information  unrelated 
to  treatment,  as  weU  as  the  definition  of  psychotherapy  notes  also  give  rise  to  con- 
cern as  they  relate  to  long  term  care  insurance.  Again,  we  believe  that  all  individ- 
ually identifiable  health  information  should  be  treated  confidentially  and  in  the 
same  manner.  We  are  concerned  by  discussion  in  the  preamble  that  seems  to  sanc- 
tion segregation  of  psychotherapy  notes.  We  are  concerned  by  the  definition  of  psy- 
chotherapy notes  as  currently  proposed  which  may  bar  legitimate  access  to  £uiything 
more  than  "summaries  of  diagnosis,  functional  status,  etc. 

The  requirements  for  authorizations  are  particularly  troublesome  as  applied  to 
long  term  care  insurer  covered  entities.  This  is  especially  true  with  respect  to  the 
right  to  revoke.  Given  the  fact  that  the  definitions  of  health  care  operations  and 
payment  fail  to  include  a  number  of  essential  ordinary  insurance  business  functions 
of  long  term  care  insurers,  individuals  are  given  the  right  to  revoke  long  term  care 
insurers'  right  to  use  protected  health  information  for  some  activities  which  are  crit- 
ical to  the  issuance,  servicing  and  administration  of  long  term  care  insurance  poli- 
cies. The  level  of  specificity  required  in  the  authorizations  is  also  problematic  as  ap- 
plied to  long  term  care  insurers. 

If  long  term  care  insurers  continue  to  be  covered  entities  in  the  final  rule,  we  sug- 
gest a  number  of  amendments  to  accommodate  the  administrative  needs  of  long 
term  care  insurer  covered  entities,  just  as  an  apparent  attempt  was  made  to  accom- 
modate the  administrative  needs  of  other  covered  entities.  If  long  term  care  insurers 
are  to  be  covered  entities,  they  should  not  be  treated  as  "second  class"  covered  enti- 
ties. 

As  mentioned  above,  we  are  very  concerned  that  the  proposed  definitions  of  health 
care  operations  and  payment  do  not  adequately  address  key  activities  of  long  term 
care  insurers  necessary  for  support  of  payment.  As  a  result,  Section  164.506(a)(l)(i) 
does  not  permit  long  term  care  insurers  to  use  and  disclose  protected  health  infor- 
mation without  authorization  to  perform  functions  which  are  "compatible  with  and 
directly  related  to  .  .  .  payment"  of  claims  submitted  under  long  term  care  insur- 
ance policies.  This  would  seem  to  be  counter  to  the  stated  intent  of  the  proposed 
rule"  to  make  the  exchange  of  protected  health  information  relatively  easy  for 
health  care  purposes." 

We  oppose  the  extension  of  the  proposed  rule  to  business  partners  of  covered  en- 
tity long  term  care  insurers.  We  are  particularly  concerned  that  long  term  care  in- 
surers are  made  liable  for  violations  of  the  proposed  rule  by  their  business  partners. 
We  are  also  opposed  to  the  creation  of  a  private  right  of  action  by  making  subjects 
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of  protected  health  information  third  party  beneficiaries  of  contracts  between  long 
term  care  insurers  and  their  business  partners. 

We  have  a  number  of  important  techniced  concerns  with  the  provisions  in  Section 
164.510  providing  for  disclosures  without  an  individual's  authorization.  We  include 
suggestions  as  to  how  these  matters  can  be  resolved. 

V^le  the  ACLI  supports  providing  individuals  rights  of  notice,  access,  accounting 
for  disclosures,  and  the  opportunity  to  request  amendment/correction  of  inaccurate 
information,  we  are  very  concerned  by  the  burdensome  nature  of  several  of  these 
requirements.  For  example,  required  and  permissible  disclosures  must  be  distin- 
guished in  the  proposed  notice.  This  is  in  addition  to  a  separate  requirement  that 
the  notice  contain  a  description  of  the  types  of  disclosures  that  may  occur.  Moreover, 
the  authorization  section  contains  similar  disclosure  requirements.  We  suggest  sev- 
eral ways  in  which  these  overlapping  requirements  can  be  simphfied  without  com- 
promising the  goal  of  providing  consumers  with  meaningftd  information  about  how 
a  covered  entity  handles  and  protects  the  consimier's  protected  health  information. 

The  ACLI  looks  forward  to  working  with  the  Chairman  and  members  of  this  com- 
mittee as  Congress  addresses  the  criticed  issue  of  protecting  the  confidentiality  of 
health  information. 

Confidentiality  of  Medical  Information 

Principles  of  Support 

Life,  disabihty  income,  and  long-term  care  insurers  have  a  long  history  of  dealing 
with  highly  sensitive  personal  information,  including  medical  information,  in  a  pro- 
fession^ and  appropriate  manner.  The  life  insurance  industry  is  proud  of  its  record 
of  protecting  the  confidentiedity  of  this  information.  The  industry  beUeves  that  indi- 
viduals have  a  legitimate  interest  in  the  proper  collection  and  use  of  individually 
identifiable  medical  information  about  them  and  that  insurers  must  continue  to 
handle  such  medical  information  in  a  confidential  manner.  The  industry  supports 
the  following  principles: 

1.  Medical  information  to  be  collected  fi-om  third  parties  for  imderwriting  life,  dis- 
abihty income  and  long-term  care  insurance  coverages  should  be  collected  only  with 
the  authorization  of  the  individual. 

2.  In  general,  any  redisclosure  of  medical  information  to  third  parties  should  only 
be  made  with  the  authorization  of  the  individual. 

3.  Any  redisclos\ire  of  medical  information  made  without  the  individual's  author- 
ization should  only  be  made  in  Umited  circumstances,  such  as  when  required  by  law. 

4.  Medical  information  will  not  be  shared  for  marketing  purposes. 

5.  Under  no  circimistances  will  an  insurance  company  share  an  individual's  medi- 
cal information  with  a  financial  company,  such  as  a  bank,  in  determining  ehgibiUty 
for  a  loan  or  other  credit — even  if  the  insurance  compginy  and  the  financial  company 
are  commonly  owned. 

6.  Upon  request,  individuals  should  be  entitled  to  learn  of  any  redisclosures  of 
medical  information  pertaining  to  them  which  may  have  been  made  to  third  parties. 

7.  All  permissible  redisclosures  should  contain  only  such  medical  information  as 
was  authorized  by  the  individual  to  be  disclosed  or  which  was  otherwise  permitted 
or  required  by  law  to  be  disclosed.  Similarly,  the  recipient  of  the  medical  informa- 
tion should  generally  be  prohibited  fi'om  making  further  redisclosures  without  the 
authorization  of  the  individual. 

8.  Upon  request,  individuals  should  be  entitled  to  have  access  and  correction 
rights  regarding  medical  information  collected  about  them  fi'om  third  parties  in  con- 
nection with  any  apphcation  they  make  for  life,  disability  income  or  long-term  care 
insurance  coverage. 

9.  Individuals  should  be  entitled  to  receive,  upon  request,  a  notice  which  describes 
the  insurer's  medical  information  confidentiality  practices. 

10.  Insurance  companies  providing  Ufe,  disabihty  income  and  long-term  care  cov- 
erages should  document  their  medical  information  confidentiality  policies  and  adopt 
internal  operating  procedures  to  restrict  access  to  medical  information  to  only  those 
who  are  aware  of  these  internal  pohcies  and  who  have  a  legitimate  business  reason 
to  have  access  to  such  information. 

11.  If  an  insurer  improperly  discloses  medical  information  about  an  individual,  it 
could  be  subject  to  a  civil  action  for  actual  damages  in  a  court  of  law. 

12.  State  legislation  seeking  to  implement  these  principles  should  be  uniform.  Any 
federal  legislation  to  implement  the  foregoing  principles  should  preempt  all  other 
state  requirements. 
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American  Federation  of  State, 
County  and  Municipal  Employees,  AFL^IO 
Washington,  DC  20036-5687 

February  16,  2000 

The  Honorable  William  Thomas 
Ways  and  Means  Committee 
Health  Subcommittee 
U.S.  House  of  Representatives 
Washington,  DC  20515 

Dear  Chairman  Thomas: 

The  American  Federation  of  State,  County  and  Municipal  Employees  (AFSCME) 
appreciates  the  opportunity  to  submit  a  statement  for  the  record  for  the  February 
17,  2000  hearing  on  the  confidentiality  of  patient  records.  AFSCME  represents  over 
1.3  million  workers.  Among  these  are  360,000  health  care  workers  including  reg- 
istered and  licensed  nurses,  pharmacists,  physicians  and  nursing  assistants.  There- 
fore, we  approach  privacy  regulations  from  the  perspective  of  consumers  of  health 
care  services  as  well  as  workers  in  the  health  care  system. 

We  commend  the  Department  of  Health  and  Human  Services  for  addressing  the 
crucial  issue  of  medical  record  confidentiality  in  such  a  comprehensive  proposal.  The 
need  to  develop  regulations  that  will  serve  as  standard  protections  for  the  users  of 
health  care  services  is  urgently  needed  in  the  rapidly  changing  world  of  health  care 
dehvery. 

AFSCME  strongly  supports  the  approach  in  the  Health  Insurance  Portability  Ac- 
coimtabihty  Act  (HIPAA)  and  the  Department's  proposal  that  federal  regulations 
will  serve  as  a  floor,  rather  than  a  ceiling,  on  privacy  protections  afforded  by  states. 
Under  this  approach,  a  minimum  federal  standard  would  extend  important  protec- 
tions to  all  consumers,  but  state  laws  providing  greater  protections  would  remain 
in  place  or  could  be  enacted  in  the  future  to  meet  new  needs. 

While  the  regulations  create  important  new  protections,  there  are  areas  where  the 
Department  stopped  short  of  fully  exercising  its  authority  under  HIPAA  or  did  not 
provide  adequate  clarification  in  the  regulations.  We  are  submitting  com  merits  to 
the  Secretary  which  detail  these  issues.  Many  of  these  issues  are  summarized 
below. 

The  regulations  should  apply  to  both  electronic  and  non-electronic 
health  information.  Consistent  treatment  of  health  information  provides  a  much 
more  workable  framework  for  covered  entities.  Otherwise,  covered  entities  would 
need  to  keep  track  of  the  method  of  transmittal  of  information  from  all  paper 
records  in  order  to  determine  which  information  in  an  individual's  file  is  protected. 
Further,  because  most  information  is  not  maintained  in  electronic  form,  the  failure 
to  cover  paper  records  provides  a  gaping  hole  through  which  much  confidential  in- 
formation can  be  transmitted  despite  Congress'  desire  to  protect  the  privacy  of  an 
individual's  health  records. 

The  regulations  must  clarify  that  protected  health  information  obtained 
by  an  employer  sponsored  self-funded  or  insured  plan  cannot  be  shared 
with  other  parts  of  the  employer's  organization.  If  it  is  not  made  clear  that 
private  health  information  cannot  be  shared,  it  will  be  used  improperly  by  some  em- 
ployers to  make  such  employment  decisions  as  promotions,  job  assignments  and 
firings. 

The  regulations  must  extend  privacy  protections  to  medical  records  con- 
nected to  workers'  compensation  claims.  There  is  a  serious  problem  of  unlim- 
ited access  to  and  misuse  by  employers  and  insurers  of  individually  identifiable 
health  information  of  workers  who  have  filed  such  claims.  Medical  records  have 
been  used  to  discriminate,  harass,  blacklist  and  deny  workers  their  rights  imder  the 
law.  We  do  not  believe  that  Congress  intended  to  exempt  workers'  compensation  in- 
surers from  the  scope  of  coverage  and  believe  that  the  Department  should  address 
this  subject. 

Thank  you  for  the  opportunity  to  submit  a  statement  for  the  record  for  this  impor- 
tant hearing. 

Sincerely, 

Charles  M.  Loveless 

Director  of  Legislation 

CML:bcc 

cc:  Rep.  Pete  Stark,  Ranking  Member 
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statement  of  American  Healthways,  Inc.,  Nashville,  TN 

American  Healthways,  Inc.  ("AMHC"),  the  successor  corporate  name  of  American 
Healthcorp,  Inc.,  appreciates  the  opportunity  to  submit  the  following  comments  for 
inclusion  in  the  record  of  the  House  Ways  and  Means  Health  Subcommittee  Hearing 
on  Patient  Record  Confidentiality  on  February  17,  2000. 

Overall  AMHC  strongly  supports  the  proposed  privacy  regulations  published  at  64 
Fed.  Reg.  59,918  (Nov.  3,  1998),  particularly  the  inclusion  of  disease  management 
in  the  definition  of  treatment.  It  is  imperative  to  legitimate  disease  management  or- 
ganizations that  the  use  and  disclosure  of  identifiable  health  information  for 
disease  management  be  permitted  without  individual  authorizations.  This 
is  currently  permitted  in  the  proposed  regulations  and  is  essential  to  the  continued 
operation  and  success  of  disease  management  programs.  AMHC  and  similar  disease 
management  organizations,  however,  are  extremely  concerned  about  the  lack  of  a 
imiform  standard.  Accordingly,  AMHC  believes  that  complete  federal  preemp- 
tion of  all  state  medical  privacy  laws  is  imperative 

AMHC,  headquartered  in  Nashville,  Tennessee,  is  the  nation's  leading  operator  of 
care  and  disease  management  services  with  160,000  lives  under  management. 
AMHC's  Diabetes  Healthways^M^  Cardiac  HealthwayssM,  and  Respiratory 
HealthwaysSM  programs  have  proved  effective  at  significantly  improving  health 
status  and  decreasing  overall  cost  for  these  disease  populations. 

The  privacy  of  individually  identifiable  health  information  is  of  utmost  importance 
to  AMHC.  AMHC  has  extensive  pohcies  and  procedures  to  protect  patient  confiden- 
tiaUty.  As  a  result,  neither  AMHC  nor  its  chents  have  received  a  single  confidential- 
ity or  privacy  complaint  regarding  AMHC's  disease  management  programs.  AMHC 
provides  these  comments  to  the  Subcommittee  fi'om  this  perspective. 

DISEASE  MANAGEMENT  IN  THE  PROPOSED  REGULATIONS 

The  proposed  regulations  allow  a  covered  entity  to  use  or  disclose  protected  health 
information  without  individual  authorization  "to  carry  out  treatment,  payment,  or 
health  care  operations."  ^  "Treatment"  is  defined  as  "the  provision  of  health  care  by, 
or  the  coordination  of  health  care  (including  health  care  management  of  the  individ- 
ual through  risk  assessment,  case  management,  and  disease  management)  among, 
health  care  providers;  the  referral  of  a  patient  from  one  provider  to  another;  or  the 
coordination  of  health  care  or  other  services  among  health  care  providers  and  third 
parties  authorized  by  the  health  plan  or  the  individual"^  Under  this  definition,  use 
and  disclosure  of  protected  health  information  for  disease  management  is  permis- 
sible without  individual  authorization. 

It  is  imperative  that  this  be  maintained.  The  use  of  identifiable  health  informa- 
tion without  patient  authorization  is  essential  to  the  ability  of  disease  managers 
such  as  AMHC  to  provide  and  obtain  the  greatest  benefits  for  patients  fi'om  its  dis- 
ease management  services. 

AMHC  has  utilized  both  an  enrollment  or  "opt-in"  model  and  an  engagement  or 
"opt-out"  model  for  its  disease  management  programs.  Under  the  enrollment  model, 
individuals  choose  whether  to  participate  in  the  disease  management  program.  In 
an  engagement  model,  plan  members  are  automatically  provided  the  benefit  of  the 
disease  management  program,  but  may  choose  to  "opt-out"  of  participation.  Al- 
though an  argument  might  be  made  that  the  enrollment  model  provides  greater  pri- 
vacy  protection,  it  imnecessarily  intrudes  upon  the  existing  coordination  of  care,  pro- 
ducing vastly  inferior  health  care  outcomes  to  the  engagement  or  "opt-out"  model. 

By  way  of  direct  comparison,  AMHC  documented  that  with  the  engagement  model 
AMHC's  programs  achieve  98  percent  participation,  compared  to  less  than  30  percent 
for  a  typical  enrollment  model.  Additionally,  cost  savings  are  dramatically  less  for 
an  enrollment  model.  For  example,  annualized  diabetes  health  care  cost  savings  for 
an  average  100,000  member  plan  under  the  engagement  model  is  $1,738,716  as 
compared  to  only  $443,550  for  an  enrollment  model. 

The  reason  for  the  difference  in  participation  rates  and  cost  savings  is  that  people 
with  chronic  diseases  oft;en  suffer  fi:om  inertia  £ind  denial  about  their  disease.  The 
engagement  process  circumvents  this  avoidance  tendency.  Typically,  the  individuals 
who  opt-in  are  the  healthier  patients  who  are  already  highly  motivated  to  manage 
their  disease.  These  people  are  less  in  need  of  the  extensive  disease  management 


164  Fed.  Reg.  59,918,  60,053  (Nov.  3,  1998). 
^Id.  (emphasis  added). 
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programs  and,  therefore,  the  cUnical  improvements  in  these  patients  (with  their  con- 
comitant cost  savings),  while  still  present,  are  less  significant. 

An  engagement  model  strikes  tne  right  balance  between  the  competing  interests 
of  individual  privacy  rights  on  the  one  hand  and  the  tremendous  clinical  and  finan- 
cial benefits  of  disease  management  on  the  other.  Allowing  individuals  to  opt-out 
still  provides  individuals  a  choice  and  yet  retains  the  tremendous  clinical  and  finan- 
cial benefits  of  disease  management  for  the  largest  nimiber  of  individuals.  Moreover, 
because  disease  managers  are  business  partners,  confidentiality  of  protected  health 
information  remains  protected  fi"om  secondary  use  or  disclosure.  Accordingly,  dis- 
ease management  programs  must  be  allowed  to  continue  to  use  and  receive  pro- 
tected health  information  for  disease  management  without  patient  authorization. 

COMPLETE  FEDERAL  PREEMPTION 

In  the  proposed  regulations,  HHS  states  "HIPAA  provides  that  the  rule  promul- 
gated by  [HHS]  may  not  preempt  state  laws  that  are  in  conflict  with  the  regulatory 
requirements  and  that  provide  greater  privacy  protections."  ^  Although  HHS  may 
lack  the  authority  to  preempt  state  privacy  laws,  complete  preemption  of  state  laws 
is  imperative.  AMHC  thus  far  has  managed  to  operate  in  comphance  with  all  appU- 
cable  state  laws.  However,  maneuvering  around  the  varjdng  and  often  incompatible 
requirements  of  so  many  state  laws  has  been  difficult.  Soon,  the  task  may  be  impos- 
sible. Since  the  nation's  attention  has  been  focused  on  medical  records  privacy 
issues,  many  states  have  enacted  new  privacy  laws  and  almost  all  states  have  sig- 
nificant privacy  legislation  pending. 

California  recently  enacted  a  new  privacy  statute  which  only  allows  disclosure  of 
identifiable  health  information  for  disease  management  if  the  services  aire  approved 
by  the  patient's  primary  care  provider. ^  The  health  plans,  more  often  than  provid- 
ers, contract  with  AMHC  for  the  provision  of  disease  management  services.  Individ- 
uals, therefore,  are  entitled  to  disease  management  services  by  virtue  of  their  mem- 
bership in  the  plan,  not  as  a  function  of  their  relationship  with  a  physician.  Individ- 
uals should  be  able  to  decide  whether  to  "opt-out"  of  participation  in  the  disease 
management  program  offered.  Physicians  should  not  be  permitted  to  impede  the 
provision  of  these  services  to  their  patients.  The  requirement  that  the  physician  au- 
thorize disease  management  services  imposes  an  additional  administrative  burden 
that  will  substantially  diminish  the  number  of  Califomians  who  may  benefit  from 
disease  management  services. 

Some  state  privaQ^  laws  directly  conflict  with  others,  making  it  impossible  to  pro- 
vide the  same,  consistent  services  to  residents  of  different  states.  Health  plans  that 
contract  with  national  employers  {e.g.,  Federal  Express)  want  and  need  to  provide 
a  uniform  set  of  benefits  to  all  their  employees.  This  is  impossible  with  the  varying 
and  ofi^n  conflicting  state  laws  and  requirements.  In  addition,  a  health  plan  which 
is  national  in  scope  (e.g.,  Cigna)  needs  the  abihty  to  seU  and  deliver  uniform  prod- 
ucts, again  extremely  onerous,  if  not  impossible,  without  one  imiform  standard. 

Furthermore,  disease  managers  such  as  AMHC  must  keep  abreast  of  all  state 
laws  and  ensure  compliance  with  each  state's  nuances,  requirements  and  prohibi- 
tions. This  is  becoming  extremely  difficult  and  significantly  adds  to  the  cost  and 
burdens  on  the  deUvery  of  health  care,  generally,  and  disease  management  services, 
specifically. 

Finally,  it  is  often  difficult  to  know  which  state's  laws  apply.  It  is  conceivable  that 
for  one  transfer  of  protected  health  information,  several  states'  laws  could  be  appU- 
cable.  For  example,  in  the  disclosure  of  protected  health  information  fi-om  a  he^th 
plan  to  a  disease  management  organization,  the  following  state  laws  could  apply: 
(1)  the  state  in  which  the  health  plan  (the  disclosing  entity)  is  based,  (2)  the  state 
in  which  the  business  partner  (the  receiving  entity)  is  based,  (3)  the  state  in  which 
the  health  care  services  contained  in  the  protected  health  information  were  ren- 
dered, (4)  the  state  in  which  the  disease  management  services  are  provided  and  (5) 
the  state  in  which  the  individual  patient  resides.  Thus,  it  is  entirely  possible  that 
inconsistent  standards  and  requirements  could  apply  to  one  disclosure  or  use  of  pro- 
tected health  information.  The  imcertainty  of  which  laws  apply  as  well  as  the  com- 
plexity and  diffioilty  in  complying  with  the  various  state  laws  will  likely  cripple  the 
deUvery  of  health  care  and  disease  management  services,  especially  as  states  con- 
tinue to  enact  more  sophisticated,  complicated  £ind  extensive  health  care  privacy  leg- 
islation. 

Accordingly,  to  preserve  the  continued  provision  of  high  quahty,  affordable  health 
care  incluchng  disease  management  services,  complete  federal  preemption  of  state 
privacy  laws  is  imperative.  Without  preemption,  the  processes  associated  with  the 


^Id.  at  59,926. 

4  See  Cal.  Civil  Cods  §  56.10(17)  (West  1999). 
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delivery  of  health  care  could  come  to  a  screeching  halt  as  they  did  in  Maine  when 
that  State  enacted  an  over-zealous  privacy  law.^ 

Congress  should  either  provide  HHS  with  such  preemption  authority  or  them- 
selves exercise  congressional  authority  to  provide  complete  federal  preemption  of 
state  medical  privacy  laws.  One  consistent,  uniform  standard,  especially  given  the 
electronic  world  in  which  we  now  find  ourselves,  is  absolutely  imperative  and  ur- 
gently needed.  Congress  has  the  authority  to  preempt  state  laws  in  this  area  as  the 
electronic  exchange  of  identifiable  health  information  involves  interstate  commerce 
as  it  is  an  interstate  activity.  Health  plans,  employers,  providers  and  disease  man- 
agers often  provide  services  to  individuals  in  multiple  states.  Accordingly,  Congress 
must  exercise  its  preemption  authority  to  ensure  uniformity  and  clarity  in  the  use, 
disclosure  and  protection  of  identifiable  health  information. 

ABOUT  AMHC 

AMHC  uses  identifiable  health  information  provided  by  its  contractors — typically 
health  insurance  companies — in  its  Diabetes  HealthwaysSM,  Cardiac  Healthways^^ 
and  Respiratory  Healthways^M  programs  to  identify  individuals  with  the  targeted 
disease,  determine  what  level  of  intervention  is  required,  and  monitor,  coordinate, 
and  integrate  the  care  of  those  individuals.  Release  of  identifiable  health  informa- 
tion to  AMHC  without  individual  authorization  is  essential  to  the  continued  oper- 
ation of  AMHC's  disease  management  programs.  If  authorizations  were  required  be- 
fore each  use  or  disclosure,  disease  management  programs  would  be  impeded,  if  not 
halted,  and  their  tremendous  clinical  and  financial  benefits  diminished.^ 

AMHC's  population  management  programs  are  comprehensive  health  manage- 
ment systems  driven  by  proactive  interventions  to  identify,  manage  and  coordinate 
the  care  of  populations  affected  by  cardiac  or  respiratory  disease  or  diabetes.  AMHC 
works  with  physicians,  inpatient  caretakers  and  other  medical  professionals  to  de- 
velop the  best  possible  care  plans  for  patients.  AMHC's  services  are  in  the  direct 
chain  of  care,  providing  extensive  patient  services,  including  health  risk  assessment, 
education,  care  plan  development  and  management,  concurrent  care  review,  one-on- 
one  self-care  counseling,  and  primary  care  physician  support  and  education. 

Population-based  disease  management  programs  produce  significant  clinical  im- 
provements and  financial  savings.  AMHC's  programs  are  a  primary  example.  A 
peer-reviewed  study  of  Diabetes  Healthways'  Diabetes  NetCare^M  program  con- 
cluded that  the  program  "generated  substantial  gross  cost  savings"  and  resulted  in 
"substantial  improvement  in  all  of  the  clinical  measures  collected."'^  Specifically, 
"[mjembers  were  more  likely  to  receive  HbAlc  tests,  foot  exams,  eye  exams,  and 
cholesterol  screenings  while  enrolled  in  the  program  .  .  .  [and  hjospital  utihzation 
decreased  dramatically  for  each  plan's  diabetic  population."^  Hemoglobin  Ale  test- 
ing, a  signal  measure  of  health  status  among  people  with  diabetes,  increased  127 
percent  during  the  first  year  of  the  program.  Cardiac  Healthways^^^  also  produces 
impressive  clinical  improvements.  The  ACE  inhibitor,  cholesterol  testing,  and  beta 
blocker  compliance,  the  benchmark  cardiac  care  protocols,  improved  23  percent,  61 
percent,  and  62  percent,  respectively,  during  year  one  for  AMHC's  cardiac  popu- 
lations. 

AMHC's  programs  also  produce  significant  financial  benefits.  The  Diabetes 
HealthwaysSM  program  resulted  in  a  12.3  percent  gross  financial  savings  during  the 
first  year,  and  increased  savings  each  year  thereafter.  "Hospital  costs  decreased  by 
$47  per  diabetic  plan  member  per  month,  or  $564  per  year."^  Patients  in  the  Car- 
diac HealthwaysSM  program  achieve  even  more  dramatic  first-year  savings,  an  aver- 
age of  62  percent  for  patients  suffering  from  congestive  heart  failure.  These  savings 
also  increase  year  after  year  as  a  result  of  AMHC's  aggressive  preventative  meas- 
ures for  less  severely  ill  patients  that  delay  or  prevent  the  otherwise  inevitable 
onset  of  complications  associated  with  diabetes  and  cardiac  disease.  Other  disease 
management  programs  have  achieved  noticeable  results  as  well. 

AMHC  contracts  with  and  provides  disease  management  services  on  behalf  of 
health  plans  and  obtains  identifiable  health  information  directly  from  the  plans. 
AMHC  runs  the  information  through  an  AMHC  developed  algorithm  to  determine 
which  individuals  likely  have  diabetes,  cardiac  or  respiratory  disease  and  what  level 
of  intervention  is  required.  AMHC  attempts  to  extract  all  individuals  with  diabetes, 


5  The  law  was  swiftly  repealed. 

^See  Robert  J.  Rubin  et  al.,  Clinical  and  Economic  Impact  of  Implementing  a  Comprehensive 
Diabetes  Management  Program  in  Managed  Care,  83  J.  Clin.  Endocrinol,  and  Metab.  2635,  2640 
(1998)  for  a  discussion  of  the  benefits  of  disease  management. 
Ud.  at  2640. 

at  2640-41. 
at  2641. 
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coronary  or  respiratory  disease.  AMHC's  population  management  approach  is 
imique  in  that  it  manages  the  health  care  of  the  entire  population  with  certain 
chronic  conditions,  regardless  of  the  severity  of  the  illness,  historical  cost,  co-morbid 
compUcations  or  preexisting  conditions. 

The  algorithm  does  resmt  in  some  false  positives.  To  ensure  that  an  individual 
is  not  falsely  identified  as  having  diabetes  or  cardiac  disease,  AMHC  contacts  the 
individual's  physician  to  verify  the  diagnosis.  Any  false  positives  are  removed  from 
the  population  and  some  imidentified  individuals,  missed  by  the  algorithm,  are 
added.  If  the  false  positives  are  not  caught  through  this  method,  individuals  still 
have  the  opportunity  to  opt-out  of  the  program  if  they  do  not  have  the  targeted  dis- 
ease (or  for  any  reason).  In  addition,  under  the  proposed  regulations,  individuals  are 
always  afforded  the  opportimity  to  amend  any  incorrect  health  information  in  their 
records.  Regardless,  AMHC  never  discloses  identifiable  health  information  other 
than  to  its  employees  or  agents  implementing  the  disease  management  program  or 
to  individuals'  physicians. 

Once  AMHC  has  the  targeted  disease  population  extracted,  identified  individuals 
are  sent  a  letter,  on  health  plan  letterhead,  describing  the  program.  Individuals 
have  the  opportunity  to  opt-out  of  participation.  As  discussed  more  fully,  irdra.  Dia- 
betes Healthways^M  has  used  both  an  engagement  (opt-out)  and  enrollment  (opt-in) 
model  of  participation.  The  engagement  model  achieves  a  98  percent  participation 
rate  while  an  enrollment  model  results  in  less  than  30  percent  participation. 

Once  an  individual  is  part  of  the  disease  management  program,  AMHC  assumes 
responsibility  for  all  the  health  care  of  affected  populations,  whether  or  not  related 
to  the  named  chronic  disease,  and  coordinates  the  care  wherever  it  is  dehvered:  at 
home,  in  the  hospital,  in  the  physician's  office,  or  in  any  other  outpatient  or  inpa- 
tient setting.  Both  Diabetes  HealthwaysSM  and  Cardiac  Healthways^M  do,  and  Res- 
piratory Healthways^M  will,  provide  (fisease  management  for  all  individuals  in  the 
targeted  disease  population  and  monitor  and  coorcfinate  all  their  health  care  in  all 
he£uth  care  settings.  These  comprehensive  programs  have  achieved  great  success. 

Overall,  AMHC  strongly  supports  the  proposed  privacy  regulations  as  drafted. 
AMHC  appreciates  the  Department  of  Health  and  Himian  Services'  ("HHS")  recogni- 
tion of  the  importance  of  legitimate  disease  management  through  its  inclusion  in  the 
definition  of  treatment.  Disease  management  programs  such  as  AMHC's  Diabetes 
Healthways^M^  Cardiac  Healthways^M  and  Respiratory  HealthwaysSM  produce  tre- 
mendous clinical  benefits  to  the  patient  pubUc  (not  to  mention  concomitant  financial 
savings)  and,  therefore,  should  be  encouraged,  not  hindered  by  the  privacy  regula- 
tions. 


Statement  of  American  Psychoanalytic  Association,  New  York,  NY 

The  Health  Information  Privacy  Regulations  proposed  by  the  Administration  on 
November  3,  1999  represent  one  of  the  most  thoughtftd  efforts  to  date  to  address 
the  growing  threat  to  the  privacy  of  identifiable  health  information.  The  preamble 
to  the  regulations  sets  forth  the  most  thorough  analysis  of  the  importance  of  medical 
information  privacy  to  quality  health  care  and  the  pubUc's  confidence  in  the  health 
dehvery  system.  With  the  exception  of  the  protection  for  "psychotherapy  notes," 
however,  the  privacy  protections  in  the  proposed  regulations  do  not  fulfill  the  prom- 
ise of  the  preamble. 

As  the  preamble  notes,  the  preservation  of  health  information  privacy  is  a  "major 
concern"  of  citizens.  Health  information  privacy  is  also  essential  for  quahty  health 
care  because  without  an  assurance  of  privacy,  individuals  will  not  make  the  disclo- 
sures to  physicians  and  other  caregivers  necessary  for  treatment  and  diagnosis, 
caregivers  will  not  accurately  record  information  in  the  medical  record  and  individ- 
uals will  refi'ain  fi*om  seeking  the  care  they  need. 

The  preamble  correctly  notes  that  an  assurance  of  "strict  confidentiality"  is  essen- 
tial for  patients  to  receive  effective  psychotherapy.  That  conclusion  is  supported  by 
the  "reason  and  experience"  reflected  in  the  therapist-patient  privilege  which  is  rec- 
ognized by  the  statutory  laws  in  all  50  states  and  the  District  of  Columbia,  both 
federal  and  state  common  law,  the  ethical  standards  of  every  mental  health  profes- 
sional association,  and  the  recently  released  Surgeon  General's  Report  on  Mental 
Health.  The  common  thread  of  all  of  these  laws  and  standards  is  that  therapist-pa- 
tient communications  cannot  be  disclosed  beyond  the  therapist  without  the  patient's 
consent. 

The  underlying  statute  directs  the  Secretary  to  issue  regulations  that  address  at 
least  the  rights  that  individuals  "shoxild  have"  with  respect  to  their  identifiable 
health  information.  The  preamble  notes  that  privacy  is  a  fundamental  right  which 
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is  an  element  of  the  constitutional  right  to  liberty,  but  the  regulations  make  no 
mention  of  an  individual's  right  to  privacy  for  identifiable  health  information. 

The  regulations  also  eliminate  the  traditional  requirement  of  obtaining  patient 
consent  before  disclosing  identifiable  health  information  except  for  marketing  and 
certain  other  "non-health"  related  uses.  Accordingly,  these  regulations  would  permit 
disclosure  of  most  identifiable  health  information  for  most  uses  without  patient  no- 
tice or  consent. 

In  an  exception  to  the  general  rule,  the  regulations  require  consent  for  the  disclo- 
sure of  "psychotherapy  notes"  for  the  purposes  of  treatment,  payment  and  health 
care  operations.  The  regulations,  however,  permit  the  disclosure  of  psychotherapy 
commxmications  that  do  not  come  within  the  narrow  definition  of  "psychotherapy 
notes"  and  do  not  recognize  even  that  narrow  exception  for  13  other  uses  character- 
ized as  "national  priorities."  Accordingly,  the  regulations  do  not  aifford  the  protection 
for  psychotherapy  communications  that  is  generally  accepted  as  being  essentisil  for 
effective  psychotherapy  services. 

The  preamble  to  the  regulations  recognizes  that  statutory  authority  has  not  been 
granted  to  permit  effective  enforcement  of  the  privacy  protections  contained  in  the 
regulations.  Further,  the  protections  in  the  regulations  are  unenforceable  because, 
in  the  absence  of  notice  of  specific  disclosures  or  consent,  individuals  will  have  no 
way  of  knowing  when,  where  and  to  whom  their  information  was  disclosed.  Two  of 
the  principal  privacy  protections  in  the  regulations — the  limitation  on  disclosures  to 
the  minimum  information  necessary  for  the  intended  use  and  the  "right  to  restrict" 
disclosures  that  are  otherwise  allowable — are  particularly  unenforceable.  The  infor- 
mation necessary  for  an  intended  use  varies  with  the  size  and  technical  capability 
of  the  disclosing  entity,  and  providers  have  a  right  to  refuse  any  request  to  restrict 
disclosures. 

The  regulations  appropriately  do  not  preempt  state  privacy  laws,  including  state 
common  laws,  which  furnish  "more  stringent"  privacy  protections.  The  recognition 
of  state  common  laws  is  particularly  appropriate  because  most  privacy  protections 
are  found  in  state  common  laws,  and  those  court  rulings  reflect  the  history  of  "rea- 
son and  experience"  in  those  states. 

The  American  Psychoanalytic  Association  believes  that  the  following  changes 
must  be  made  in  the  regulations  if  the  public's  confidence  in  the  health  dehvery  sys- 
tem is  to  be  preserved: 

1.  Individuals'  right  to  privacy  for  identifiable  health  information  should  be  ex- 
pressly recognized. 

2.  The  right  of  patients  to  give  or  withhold  consent  for  most  disclosures  should 
be  preserved. 

3.  The  regulations  should  establish  "strict  confidentiality  protections  for  mental 
health  information  and  specify  the  information  that  may  be  disclosed  with  patient 
consent  to  third  party  payors.  This  approach  is  consistent  with  federal  and  state 
common  law  and  has  been  in  effect  for  15-20  years  in  New  Jersey  and  the  District 
of  Colimibia. 

4.  The  privilege  recognized  for  psychotherapist-patient  communications  in  the 
1996  Supreme  Court  decision  in  Jaffee  v.  Redmond  should  be  recognized  in  the  reg- 
ulations. They  also  should  provide  that  any  disclosure  for  a  purpose  under  the  regu- 
lations will  not  constitute  a  waiver  of  the  federal  or  state  privilege. 

5.  Patients  should  be  permitted  to  preserve  the  privacy  of  their  health  information 
by  pa3dng  for  services  with  their  own  funds. 

Privacy  is  essential  for  quality  health  care,  but  it  is  also  an  indispensable  element 
of  the  right  to  liberty — one  of  the  core  principles  of  our  Constitution.  These  prin- 
ciples have  been  forged  and  preserved  through  the  sacrifices  of  prior  generations. 
With  the  consideration  of  the  right  to  medical  privacy,  we  reach  one  of  those  critical 
points  in  our  nation's  history  when  we  must  decide  whether  we  remain  committed 
to  those  principles. 


Statement  of  William  C.  McGinly,  PI1.D.,  CAE,  President,  Association  for 
Healthcare  Philanthropy,  Falls  Church,  VA 

The  Association  for  Healthcare  Philanthropy  (AHP)  is  pleased  to  present  its  com- 
ments for  the  written  record  on  the  proposed  rules  concerning  the  standards  for  pri- 
vacy of  individually  identifiable  health  information.  (At  your  request,  please  be  ad- 
vised that  our  comments  also  are  submitted  on  an  IBM  compatible  3.5-inch  diskette 
in  MS  Word  format.) 


Ill 


Summary  and  Introduction 

Established  in  1967,  the  Association  for  Healthcare  Philanthropy  (AHP)  is  a  not- 
for-profit  organization  whose  2,850  members  manage  philanthropic  programs  in 
1,700  of  the  nation's  3,400  not-for-profit  health  care  providers.  As  AHFs  president 
and  chief  executive  officer,  I  can  tell  you  that  an  estimated  75%  to  80%  of  the  U.S. 
population  resides  in  the  areas  served  by  these  providers,  which  include  community 
hospitals  and  medical  centers  (59%),  multihospital  systems  (14%),  specialty  institu- 
tions (8%),  academic  institutions  (5%),  long-term  care  facilities  (5%),  and  other  not- 
for-profit  facihties  (9%). 

AHFs  members  raised  more  than  $5.7  bilhon  in  FY1998-$1.92  biUion  more  than 
was  raised  by  aU  of  United  Way  of  America  during  the  same  time  period. 

Funds  raised  by  AHFs  members  directly  support  health  care  programs  and  serv- 
ices that  are  unfunded  or  underfimded  by  other  sources.  These  include: 

•  programs  to  promote  healthy  behaviors; 

•  a  vast  array  of  community  wellness  programs,  from  mobile  health  vans  to  mam- 
mography screenings  and  hearing  and  eye  exams;  and 

•  much  needed  facihty  improvements  and  essential  equipment  upgrades. 

Such  programs  are  central  to  the  not-for-profit  mission  of  AHP  members'  institu- 
tions and  organizations.  They  are  an  integral  part  of  their  business.  For  such  pro- 
grams to  continue,  AHFs  members  must  have  access  to  their  health  care  provider's 
database.  The  reason:  More  than  60%  of  funds  raised  each  year  come  firom  individ- 
uals-most of  whom  are  gratefiil  patients. 

In  approaching  prospective  patient  donors,  AHP  members  are  sworn  to  respect 
the  confidentiaHty  of  patient  information  through  the  AHP  Statement  of  Profes- 
sional Standards  and  Conduct  and  its  companion  Bill  of  Donor  Rights.  Further, 
AHP  members  are  committed  to  upholding  the  spirit  and  intent  of  state  and  federal 
laws  governing  use  of  patient  information.  The  way  in  which  AHP  members'  institu- 
tions and  organizations  handle  confidential  information  might  be  likened  to  how  col- 
leges handle  student  records.  That  is,  academic  records  are  not  released  without  au- 
thorization, even  to  tuition-paying  parents,  yet  demographic  data  routinely  is  given 
to  the  alumni  office  for  fund-raising  efforts  that  ensure  the  support  of  the  college's 
long-range  educational  mission. 

AHP  respectfully  requests  that  the  proposed  regulations  be  amended  so  that  they 
neither  block  nor  reduce  our  members'  abihty  to  raise  funds  for  not-for-profit  pubhc 
health  care  programs. 

More  specific  comments  and  related  amendatory  language  follow. 

Background:  Need  for  Privacy  Standards 

AHP  fully  supports  the  development  of  standards  that  protect  the  confidentiaHty 
of  individually  identifiable  health  information.  However,  those  standards  shoiild  be 
moderated  so  that  they  also  protect  the  public  health  care  benefits  generated  by 
philanthropic  gifts  to  not-for-profit  providers. 

This  balance  of  private  need  and  public  good  is  the  essence  of  an  imderlying  tenet 
of  a  democratic  society,  and  it  is  one  that  AHP  beheves  should  be  written  into  these 
regulations. 

Statutory  Background 

AHP  contends  that  the  regulations  as  proposed  would  not  meet  the  statutory  re- 
quirements for  the  privacy  standards,  which  require  that  any  privacy  standard 
adopted  to  implement  the  Health  Insurance  PortabiUty  and  Accountabihty  Act  of 
1996  (HIPAA)  "shaU  be  consistent  with  the  objective  of  reducing  the  administrative 
costs  of  providing  and  paying  for  health  care  [emphasis  added]." 

By  restricting  AHP  members'  access  to  patient  databases,  the  proposed  regula- 
tions threaten  to  destroy  a  major  funding  source  for  pubUc  health  care,  that  is, 
grateful  patients.  More  than  60%  of  all  philanthropic  gifts  to  not-for-profit  health 
care  providers  come  from  individuals,  most  of  whom  are  grateful  patients.  If  access 
to  grateful  patients  had  been  restricted  in  FY1998,  when  AHP  members  raised  more 
than  $5.7  bilhon  for  pubHc  health  care  programs,  those  programs  might  have  lost 
as  much  as  $3.42  biUion. 

Thus,  the  proposed  regulations  include  a  substantial  hidden  cost. 

Consultations 

AHP  appreciates  the  opportunity  to  increase  awareness  of  health  care  philan- 
thropy and  its  role  in  paying  for  health  care,  and  to  propose  alternate  language  in 
a  number  of  sections  in  the  proposed  regulations. 
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Summary  and  Purpose  of  the  Proposed  Rule 

AHP  supports  the  Secretary's  recommendation  for  comprehensive  rules  that 
would,  among  other  goals,  "(a)llow  for  the  smooth  flow  of  identifiable  health  infor- 
mation for  treatment,  payment,  and  related  operations,  and  for  specified  additional 
purposes  related  to  health  care  that  are  in  the  pubUc  interest  [emphasis  added]." 

AHP  proposes  that  the  final  regulations  can  only  meet  this  goal  if  they  specify 
that  not-for-profit  health  care  providers'  fund-raising  programs  are  operated  in  the 
public's  interest  as  an  integral  part  of  the  providers'  business  operations;  therefore, 
these  programs  should  be  included  in  the  smooth  flow  of  identifiable  health  informa- 
tion. 

Specifically,  in  Paragraph  5,  AHP  would  have  the  fund-raising 
activities  of  not-for-profit  health  care  providers  included  imder  **health  care  oper- 
ations" that  do  not  require  individual  authorization. 

Applicability 

AHP  endorses  the  applicability  of  the  privacy  standards  to  the  entities  that  in- 
clude the  health  care  providers  that  employ  AHP  members,  but  again  urges  the  Sec- 
retary to  make  philanthropy  programs  a  permissible  use  of  individually  identifiable 
health  information,  without  authorization,  as  part  of  a  provider's  "health  care  oper- 
ations." 

Definitions 

Health  information:  AHP  generally  supports  the  definition  of  "health  information" 
and  the  applicability  of  the  privacy  standards  to  health  information.  However,  a 
minimum  amount  of  health  information  is  often  helpful  to  the  professional  develop- 
ment officer-if  only  to  exclude  certain  constituent  groups  from  messages  likely  to  be 
deemed  ofiensive.  For  instance,  the  following  tenets  usually  guide  AHP  members 
when  they  handle  sensitive  health  information: 

•  "Donor  acquisition"  mailings  that  go  to  former  patients  or  their  families  simply 
do  not  refer  to  patients'  recent  hospitaHzations  or  their  illnesses. 

•  In  cases  where  a  patient  has  freely  shared  personal  information  regarding  med- 
ical conditions,  or  has  expressed  an  interest  or  made  previous  donations  to  a  speci- 
fied program  or  department,  segmented  appeals  for  related  medical  causes  may 
occur,  but  these,  too,  do  not  expressly  refer  to  patients'  illnesses. 

•  Patients  hospitalized  or  treated  for  psychiatric  and  substance  abuse  treatment 
are  routinely  omitted  from  donor  acquisition  approaches  because  of  the  heightened 
sensitivity  commonly  associated  with  these  diagnostic  groups.  Also  excluded  are  all 
minors. 

•  In  general,  philanthropy  programs  give  careful  thought  to  the  audience  and 
message  of  all  fund-raising  appeals,  and  where  appropriate  eliminate  any  constitu- 
ent groups  and/or  messages  deemed  likely  to  be  offensive  to  recipients. 

TSBusiness  partner:  AHP  supports  the  definition  of  "business  partner,"  but  would 
like  to  establish  an  understanding  about  how  the  definition  relates  to  the  ways  that 
health  care  philanthropy  programs  are  structured. 

•  Nearly  70%  of  AHP  members  work  not  for  the  health  care  provider  but  for  sepa- 
rately incorporated  foundations,  which  are  recognized  as  charitable  entities  under 
501(c)(3)  of  the  federal  tax  code.  It  is  imperative  that  the  proposed  privacy  stand- 
ards not  inadvertently  close  the  door  to  charitable  gifts  that  support  pubHc  health 
programs-and  provide  donors  with  a  valued  income  tax  deduction. 

•  About  25%  of  AHP  members  work  for  stand-alone  departments  within  the 
health  care  provider  institution. 

•  The  other  5%  work  in  offices  with  some  other  structure.  Whether  the  privacy 
standards  apply  to  these  various  structures  as  "covered  entities"  or  "business  part- 
ners," it  is  critical  that  the  standards  not  limit  the  effectiveness  of  health  care  phi- 
lanthropy programs  to  raise  money  from  the  people  most  likely  to  give,  that  is, 
grateful  patients. 

Individually  identifiable  health  information:  A  minimum  of  patient  demographic 
information  is  essential  so  that  health  care  philanthropy  programs  can  carry  out 
their  not-for-profit  mission.  Age  is  needed  to  exclude  minors  from  appeals. 

Introduction  to  General  Rules 

The  health  care  philanthropy  programs  managed  by  AHP  members  would  not  ap- 
pear in  conflict  with  this  broadly  stated  intent,  if  "health  care"  is  broadly  construed 
to  include  public  health. 

Use  and  Disclosure  for  Treatment,  Payment,  and  Health  Care  Operations 

AHP  supports  the  uses  and  disclosures  permitted  without  authorization  in  this 
section,  but  adamantly  opposes  the  exclusion  of  certain  activities  from  the  definition 
of  "health  care  operations."  The  very  ability  of  not-for-profit  health  care  providers 
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to  fulfill  their  altruistic  mission  is  threatened  by  the  proposed  requirement  that  ad- 
vance authorization  is  necessary  for  the  following  activities: 

•  marketing  of  health  .  .  .  services; 

•  marketing  by  a  non-health  related  division  of  the  same  corporation;  and 

•  fund  raising. 

With  buy-outs  by  for-profit  health  care  providers  threatening  the  existence  of  not- 
for-profits,  marketing  is  critical  to  the  future  viability  of  these  altruistic  providers. 
Much  of  what  is  marketed  by  AHP  members-fi*om  departments  or  divisions  within 
a  provider's  corporation  or  fi-om  its  related  foimdation  (see  "definitions"  above)-has 
tremendous  benefit  for  community  health.  Wellness  programs,  mammography 
screening,  ear  and  eye  exams,  etc.,  are  marketed  by  AHP  members.  Many  of  these 
programs  are  funded  by  the  philanthropic  programs  that  AHP  members  manage. 

One  only  need  look  at  the  hospital  wings  donated  by  grateful  patients,  or  the 
donor  recognition  plaques  that  hne  hospital  corridors,  to  realize  that  patients  are 
grateful  for  hospital  services  and  do  not  mind  showing  their  appreciation  with  tan- 
gible gifts.  AHP  contends  that  these  gifts  are  wilhngly  made  because  they  are  asked 
for  after  services  have  been  received.  To  ask  for  them  in  advance-which  would  be 
the  effect  of  the  proposed  privacy  standards-would  easily  alienate  the  largest  pros- 
pect pool  for  philanthropic  gifts  to  not-for-profit  health  care  providers. 

Finally,  the  kind  of  marketing  carried  out  by  AHP  members  is  not  the  kind  of 
marketing  of  commercial  products  that  seems  to  be  the  real  target  of  this  regula- 
tion's restriction.  It  is  important  that  the  final  version  of  the  privacy  standards  dis- 
tinguish between  for-profit  and  not-for-profit  ventures. 

In  short,  AHP  would  strike  these  activities  from  the  hst  of  activities  that  require 
prior  authorization: 

•  marketing  of  health  .  .  .  services; 

•  marketing  by  a  non-health  related  division  of  the  same  corporation;  and 

•  fund  raising. 

Further,  AHP  would  expressly  permit  not-for-profit  health  care  providers  and 
their  business  partners  to  use  and  disclose  protected  information  without  authoriza- 
tion for  the  following  activities  that  are  central  to  their  altruistic  mission: 

•  marketing  programs  that  promote  the  health  of  the  community;  and 

•  raising  fijnds  that  support  charitable,  educational,  or  research  purposes  and 
capital  improvements. 

Minimum  Necessary  Use  and  Disclosure 

AHP  members  already  adhere  to  the  practice  of  minimed  use  and  disclosure.  On 
becoming  members,  they  pledge  to  uphold  the  AHP  Statement  of  Professional 
Standards  and  Conduct,  which  requires  that  an  individual's  right  to  privacy  be  re- 
spected and  that  information  gained  in  the  pursuit  of  professional  duties  remain 
confidential.  A  copy  of  the  AHP  Standards  is  enclosed. 

To  manage  effective  philanthropic  programs,  AHP  members  minimally  need  the 
names  of  patients  and  relatives,  their  addresses  and  telephone  numbers,  and  their 
age  (to  ehminate  minors).  A  minimum  of  health  information  is  helpful  (to  eliminate 
patients  with  sensitive  diagnoses). 

Right  to  Restrict  Uses  and  Disclosures 

Alfi*  members  already  restrict  use  and  disclosure  of  information  gained  in  pursuit 
of  their  professional  duties,  as  part  of  the  AHP  Statement  of  Professional  Standards 
and  Conduct  (copy  enclosed). 

Creation  of  De-Identified  Information 

AHP  supports  the  use  of  protected  health  information  for  statistical  and  analytical 
reports.  In  fact,  AHP  annually  conducts  its  Survey  on  Giving,  through  which  mem- 
bers share  information  about  health  care  philanthropy.  AHP  is  the  only  source  of 
this  data  in  the  country,  which  each  year  is  given  to  the  American  Association  for 
Fund  Raising  Counsel  for  its  comprehensive  report.  Giving  USA. 

Application  to  Business  Partners 

The  philanthropy  efforts  of  AHf*  members  are  structured  in  several  ways-as  foim- 
dations,  as  stand-alone  departments  or  divisions,  or  in  other  ways.  However  efforts 
are  structured,  whether  they  are  construed  as  "covered  entities"  or  "business  part- 
ners," it  is  paramoimt  that  these  regulations  permit  access  to  protected  data  with- 
out authorization. 

Application  to  Information  About  Deceased  Persons 

Ain*  supports  this  regulation's  intent  to  be  sensitive  to  the  famiHes  of  the  de- 
ceased. However,  AHP  respectfully  suggests  that  providing  its  members  with  pro- 
tected information  is  more  likely  to  achieve  this  goal  than  the  converse.  After  all, 
AHP  members  cannot  exclude  families  of  the  deceased  ft-om  general  appeals  for  phil- 
anthropic gifts  if  the  fact  of  death  is  not  known. 
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Furthermore,  when  friends  or  family  of  the  deceased  wish  to  make  a  memorial 
gift,  AHP  members  must  have  the  minimum  demographic  information  to  accommo- 
date this  wish. 

Adherence  to  the  Notice  of  Information  Practices 

AHP  supports  the  intent  of  this  section,  which  requires  that  information  uses  and 
disclosures  reflect  the  actual  notice  of  such  use  and  disclosure.  Again,  however,  AHP 
urges  that  the  philanthropic  programs  managed  by  its  members  be  included  under 
"health  operations"  that  do  not  require  advance  authorization  for  what  is  a  central 
component  of  the  mission  and  business  of  not-for-profit  providers. 

Uses  and  Disclosures  with  Individual  Authorization 

This  section  contains  one  phrase  that  reveals  the  intent  of  its  authors:  commercial 
gain.  AHP  could  not  agree  more  that  individuals  have  the  right  to  refuse  the  release 
of  protected  information  that  will  result  in  commercial  gain  to  the  requesting  entity. 
No  commercial  gain  is  possible  for  not-for-profit  health  care  providers,  and  privacy 
standards  must  distinguish  between  for-profit  and  not-for-profit  entities. 

The  philanthropic  programs  of  AHP  members  should  be  considered  an  integral 
part  of  the  provider's  "health  operations"  and  thus  be  exempt  from  individual  au- 
thorization. That  is  the  current  practice,  and  AHP  can  attest  to  the  fact  that  its 
members  hear  only  rare  concerns  which  are  quickly  resolved  after  they  explain  the 
health  services,  research,  and  educational  programs  that  are  supported  by  philan- 
thropy. 

Aside  from  the  inappropriateness  of  applying  this  standard  to  not-for-profit  health 
care  providers,  the  proposed  authorization  form  is  onerous  and  coimterproductive. 
Picture  a  patient  in  serious  condition,  being  admitted  to  a  hospital,  being  handed 
all  the  usual  forms  and  one  asking  for  permission  to  solicit  contributions  at  a  later 
date.  A  hospital  with  a  form  like  this  would  be  showing  very  little  sensitivity  to  the 
patient  and  would  likely  receive  no  gift  at  a  later  date,  even  if  the  patient  were 
grateful  for  the  medical  treatment  received. 

Introduction  to  Rights  of  Individuals 

AHP  supports  the  rights  of  individuals  as  delineated  in  the  proposed  regulations 
and  assures  the  Secretary  that  its  members  swear  to  respect  those  rights  through 
the  AHP  Statement  of  Professional  Standards  and  Conduct. 

Rights  and  Procedures  for  a  Written  Notice  of  Information  Practices 

AHP  believes  that  the  health  services,  research,  and  educational  programs  sup- 
ported by  the  philanthropy  programs  of  not-for-profit  health  care  providers  are  an 
integral  part  of  "health  operations"  and  should  be  treated  as  such  in  this  and  other 
sections  of  the  final  regulations. 

Rights  and  Procedures  for  Access  for  Inspection  and  Copying 

AHP  believes  that  the  health  services,  research,  and  educational  programs  sup- 
ported by  the  philanthropy  programs  of  not-for-profit  health  care  providers  are  an 
integral  part  of  "health  operations"  and  should  be  treated  as  such  in  this  and  other 
sections  of  the  final  regulations. 

All  of  AHP's  comments  are  offered  with  the  sincere  appeal  that  the  new  regula- 
tions should  be  structured  so  as  to  take  into  account  the  professional  ethical  stand- 
ards already  in  place.  These  regulations  must  allow  for  the  continued  work  of  hos- 
pitals and  health-related  foundations  in  philanthropic  programs  that  benefit  individ- 
uals and  communities  .  .  .  benefits  which,  if  lost,  would  be  severely  detrimental  to 
the  quality  of  life.  AHP  looks  forward  to  working  with  the  Department  in  order  to 
preserve  the  charitable  fund-raising  activities  of  not-for-profit  health  providers  while 
respecting  an  individual's  appropriately  limited  individually  identifiable  health  in- 
formation. 

We  appreciate  the  opportunity  to  comment  on  the  proposed  standards.  More  im- 
portantly, we  look  forward  to  actively  assisting  the  Department  in  developing  pro- 
tective patient  medical  record  regulations  while  safeguarding  our  non-profit  provid- 
ers' obligation  to  meet  their  charitable  purposes  and  fully  serve  their  patients. 


Professional  Standards  and  Conduct  from  Association  for  Healthcare 

Philanthropy 

Association  for  Healthcare  Philanthropy  members  represent  to  the  public,  by  per- 
sonal example  and  conduct,  both  their  employer  and  their  profession.  They  have, 
therefore,  a  duty  to  faithfully  adhere  to  the  highest  standards  and  conduct  in: 
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I.  Their  promotion  of  the  merits  of  their  institutions  and  of  excellence  in  health 
care  generally,  providing  commimity  leadership  in  cooperation  with  health,  edu- 
cationsd,  cultural,  and  other  organizations; 

II.  Their  words  and  actions,  embodying  respect  for  truth,  honesty,  fairness,  free 
inquiry,  and  the  opinions  of  others,  treating  all  with  equality  and  dignity; 

III.  Their  respect  for  all  individuals  without  regard  to  race,  color,  sex,  creed,  eth- 
nic or  national  identity,  handicap,  or  age; 

IV.  Their  commitment  to  strive  to  increase  professional  and  personal  skiUs  for  im- 
proved service  to  their  donors  and  institutions,  to  encourage  and  actively  participate 
in  career  development  for  themselves  and  others  whose  roles  include  support  for  re- 
source development  functions,  £md  to  share  freely  their  knowledge  and  experience 
with  others  as  appropriate; 

V.  Their  continuing  effort  and  energy  to  pursue  new  ideas  and  modifications  to 
improve  conditions  for,  and  benefits  to,  donors  and  their  institution; 

VI.  Their  avoidance  of  activities  that  might  damage  the  reputation  of  any  donor, 
their  institution,  any  other  resource  development  professional  or  the  profession  as 
a  whole,  or  themselves,  and  to  give  full  credit  for  the  ideas,  words,  or  images  origi- 
nated by  others; 

VTI.  Their  respect  for  the  rights  of  privacy  of  others  and  the  confidentiahty  of  in- 
formation gained  in  the  pursuit  of  their  professional  duties; 

VIII.  Their  acceptance  of  a  compensation  method  freely  agreed  upon  and  based 
on  their  institution's  usual  and  customary  compensation  guidelines  which  have  been 
estabhshed  and  approved  for  general  institutional  use  while  always  remembering 
that:  any  compensation  agreement  should  fully  reflect  the  standards  of  profession£d 
conduct;  and,  antitrust  laws  in  the  United  States  prohibit  limitation  on  compensa- 
tion methods; 

IX.  Their  respect  for  the  law  and  professional  ethics  as  a  standard  of  personal  con- 
duct, with  full  adherence  to  the  policies  and  procediires  of  their  institution; 

X.  Their  pledge  to  adhere  to  this  Statement  of  Professional  Standards  and  Con- 
duct, and  to  encourage  others  to  join  them  in  observance  of  its  guidelines. 

A  Donor  Bill  of  Rights 

Philanthropy  is  based  on  voluntary  action  for  the  common  good.  It  is  a  tradition 
of  giving  and  sharing  that  is  primary  to  the  quality  of  life.  To  assure  that  philsm- 
thropy  merits  the  respect  and  trust  of  the  general  public,  and  that  donors  and  pro- 
spective donors  can  have  full  confidence  in  the  not-for-profit  organizations  and 
causes  they  are  asked  to  support,  we  declare  that  all  donors  have  these  rights: 

I.  To  be  informed  of  the  organization's  mission,  of  the  way  the  organization  in- 
tends to  use  donated  resources,  and  of  its  capacity  to  use  donations  effectively  for 
their  intended  purposes. 

II.  To  be  informed  of  the  identify  of  those  serving  on  the  organization's  governing 
board,  and  to  expect  the  board  to  exercise  prudent  judgment  in  its  stewardship  re- 
sponsibihties. 

III.  To  have  access  to  the  organization's  most  recent  financial  statements. 

IV.  To  be  assured  their  gifts  will  be  used  for  the  purposes  for  which  they  were 
given. 

V.  To  receive  appropriate  acknowledgment  and  recognition. 

VI.  To  be  assured  that  information  about  their  donations  is  handled  with  respect 
and  with  confidentiality  to  the  extent  provided  by  law. 

VII.  To  expect  that  all  relationships  with  individuals  representing  organizations 
of  interest  to  the  donor  will  be  professional  in  nature. 

VIII.  To  be  informed  whether  those  seeking  donations  are  volunteers,  employees 
of  the  organization  or  hired  solicitors. 

IX.  To  have  the  opportiinity  for  their  names  to  be  deleted  from  mailing  lists  that 
an  organization  may  intend  to  share. 

X.  To  feel  free  to  ask  questions  when  making  a  donation  and  to  receive  prompt, 
truthful  and  forthright  answers. 

Developed  by  American  Association  of  Fund  Raising  Counsel  (AAFRC)  Association 
for  Healthcare  Philanthropy  (AHP)  Council  for  Advancement  and  Support  of  Edu- 
cation (CASE)  National  Society  of  Fund  Raising  Executives  (NSFRE).  Endorsed  by 
(in  formation)  Independent  Sector  National  Catholic  Development  Conference 
(NCDC)  National  Committee  on  Planned  Giving  (NCPG)  National  Council  for  Re- 
source Development  (NCRD)  United  Way  of  America 
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Statement  of  Association  of  American  Medical  Colleges 

The  Association  of  American  Medical  Colleges  (AAMC)  is  pleased  to  submit  its 
views  on  the  Department  of  Health  and  Human  Services  Notice  of  Proposed  Rule- 
making (NPRM)  "Standards  for  Privacy  of  Individually  Identifiable  Health  Informa- 
tion." The  AAMC  represents  this  nation's  125  accredited  medical  schools,  approxi- 
mately 400  major  teaching  hospitals  and  health  care  systems,  and  91  academic  and 
professional  societies  representing  over  75,000  faculty  members.  Our  members  and 
institutions  provide  basic  and  specialized  healthcare  services,  conduct  research  lead- 
ing to  the  discovery  of  medical  knowledge  and  the  development  of  innovative  treat- 
ments and  therapies,  and  educate  and  prepare  physicians  to  meet  evolving  health 
care  needs.  Whether  in  utihzing  health  information  in  treating  patients,  educating 
future  physicians,  or  conducting  clinical  research  ranging  from  the  etiopathogenesis 
of  disease,  translation  and  clinical  trials  to  studies  in  epidemiology,  prevention  and 
health  services,  the  AAMC  is  keenly  aware  of  the  need  to  protect  the  privacy  of  indi- 
viduals and  the  confidentiality  of  individually  identifiable  health  information. 

The  AAMC  strongly  believes  that  the  only  comprehensive  and  nationally  coherent 
solution  to  the  complex  and  emotionally  charged  problems  of  "medical  information 
privacy  lies  in  federal  legislation,  and  we  have  steadfastly  supported  the  enactment 
of  such  to  strengthen  the  protection  of  individuals'  personally  identifiable  health  in- 
formation fi-om  inappropriate  disclosure  and  harmful  misuse.  Any  legislation  wiU  re- 
quire a  balancing  between  protecting  individuals'  health  information  and  allowing 
health  care  entities  and  providers  reasonable  access  to  information  that  can  be 
shared  for  purposes  of  treatment,  research,  and  education. 

The  NPRM's  preamble  articulates  the  department's  concern  with  its  limited  au- 
thority under  the  Health  Insurance  PortabiHty  and  Accountability  Act  (HIPAA)  of 
1996  and  the  rationale  for  the  stratagems  it  devised  to  craft  regulations  with  the 
broadest  possible  reach  in  the  face  of  those  limitations,  and  it  is  pimctuated  with 
repeated  calls  for  federal  legislation  as  the  much  preferred  approach.  These  points 
are  important  to  understanding  the  structure,  complexity  and  potential  impact  of 
the  regulations  that  have  been  proposed.  The  preamble  seeks  frequent  refuge  in  the 
principles  articulated  in  Secretary  Shalala's  thoughtful  report  to  the  Congress  in 
September  1997,  entitled  "Confidentiality  of  Individually  Identifiable  Health  Infor- 
mation." At  the  time,  the  AAMC  expressed  its  strong  general  support  of  the  prin- 
ciples, while  noting  their  ultimate  acceptabihty  would  turn  on  the  details  of  their 
implementation,  which  the  report  did  not  address.  Given  the  complexity  of  the  pro- 
posed regulations,  their  substantial  financial  and  administrative  costs,  and  the  pro- 
found operational  and  behavioral  changes  that  they  would  impose  at  every  level  of 
the  health  care  delivery  system,  it  is  ironic  to  note  that  the  relevant  HIPAA  author- 
ity derives  from  the  Administrative  Simplification  provisions  of  the  Act  (Sections 
261-264). 

Although  the  AAMC  appreciates  the  work  the  department  has  invested  in  this 
NRPM,  we  have  very  serious  reservations  about  certain  of  the  approaches  and  im- 
plementation steps.  We  fear  that  they  would  impose  unreasonable  burdens  and  un- 
wise constraints  on  the  day-to-day  functioning  of  the  health  care  delivery  system 
and  the  conduct  of  medical  research.  While  fully  supporting  the  individual's  right 
to  privacy  and  respecting  the  need  for  effective,  systemic  protections  of  the  confiden- 
tiality of  individually  identifiable  health  information,  we  believe  that  some  of  the 
standards,  implementation  requirements,  and  procedures  imposed  by  this  NPRM 
would  have  real  costs  that  far  outweigh  their  theoretical  benefits.  We  believe  that 
the  NPRM  requires  major  changes  so  that  it  will  reasonably  protect  the  privacy  of 
individually  identifiable  health  information  without  impeding  the  flows  of  health  in- 
formation required  for  the  care  of  patients,  the  operations  of  the  health  care  delivery 
system,  or  the  conduct  of  health  research.  In  particular,  the  AAMC  draws  attention 
to  the  following  salient  concerns: 

•  Impact  on  Delivery  of  Health  Care:  The  enactment  and  implementation  of 
any  standards  for  medical  information  privacy  will  impose  enormous  costs  and  ad- 
ministrative burdens  on  the  U.S.  health  care  system.  In  this  regard,  any  federal  reg- 
ulations must  be  crafted  with  precision  and  with  understanding  of  and  sensitivity 
to  the  complexity  and  magnitude  of  the  flows  of  individually  identifiable  health  in- 
formation involved  in  the  health  care  of  patients.  Unfortunately,  the  AAMC  finds 
that  many  of  the  proposed  provisions  in  the  NPRM  impose  unreasonable  burdens 
and  unwise  constraints  on  the  day  to  day  functioning  of  the  health  care  delivery  sys- 
tem. In  particular,  the  AAMC  believes  the  concepts  and  applications  of  "business 
partners,"  "minimum  necessary,"  and  "de-identified  protected  health  information" 
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are  poorly  devised  and  ill-conceived.  In  addition,  the  language  establishing  a  "code 
of  fair  information  practices"  with  respect  to  individual  access,  amendment,  and  cor- 
rection of  protected  health  information  (PHI)  needs  to  be  more  carefully  tailored  to 
the  realities  of  the  complex  patterns  and  enormous  volxmies  of  continuous  health  in- 
formation traffic  that  are  necessary  for  the  health  care  dehvery  system  to  function. 
We  urge  the  department  to  reconsider  the  proposed  regulations  in  the  NPRM,  which 
would  imjustifiably  and  unnecessarily  impede  the  critical  functions  of  the  day-to-day 
operations  of  the  entire  U.S.  health  care  system. 

•  Intrusion  on  Research:  The  AAMC  strongly  opposes  the  approach  taken  in 
the  NPRM  to  divide  medical  research  information  into  two  broad  classes,  one  "relat- 
ed," the  other  "unrelated,"  to  treatment.  HIPAA  gives  the  HHS  no  authority  to  regu- 
late researchers.  However,  the  NPRM  attempts  to  do  so  by  regulating  covered 
health  care  providers  who  are  also  researchers.  The  AAMC  finds  this  approach  un- 
necessary and  poorly  conceived.  The  distinction  of  research  information  categories 
as  described  by  the  NPRM,  in  fact,  would  serve  to  weaken  the  protections  of  con- 
fidentiahty  of  research  data  that  are  cTirrently  available,  while  imposing  heavy  bur- 
dens on  medical  researchers,  and  would  be  of  little  or  no  benefit  to  the  safeguarding 
of  individually  identifiable  health  information.  Rather  than  separating  reseau-ch  in- 
formation that  is  "related  or  unrelated  to  treatment,"  the  AAMC  beUeves  that  infor- 
mation obtained  from  research  that  is  clinically  relevant  to  the  care  of  the  subject 
should  be  entered  into  the  individual's  medical  record.  Thereby,  the  formal  "re- 
search record"  would  remain  separate  firom  the  medical  record.  It  is  the  Associa- 
tion's strong  position  that  research  information  and  clinical  information  can  and 
should  be  maintained  separately,  primarily  to  afford  the  research  information  a 
much  higher  degree  of  seciuity  than  can  be  afforded  to  chnical  information  and 
medical  records. 

•  Impact  on  Common  Rule:  The  attempt  by  the  department  to  regulate  issues 
related  to  "protected  health  information"  (PHI)  in  research  is  problematic.  In  the 
NPRM's  preamble,  the  department  notes  that  HIPAA  gives  HHS  no  authority  to 
regulate  health  researchers.  Research  involving  human  subjects  is  already  subject 
to  the  Common  Rule.  However,  the  NPRM  attempts  to  amend  the  Common  Rule 
by  adding  four  new  criteria  to  those  already  reqiiired  of  IRBs  in  consideration  of 
waiver  of  individual  authorization.  The  AAMC  strongly  opposes  this  effort  at  piece- 
meal modification  of  the  Common  Rule.  The  Association  is  unaware  of  any  credible 
evidence  indicating  that  protection  of  the  confidentiaHty  of  PHI  used  in  research  is 
not  being  adequately  respected  and  protected  by  IRBs  and  researchers  working 
under  the  requirements  of  the  existing  Common  Rule.  Moreover,  with  the  imminent 
relocation  and  reorganization  of  the  OPRR  in  the  Office  of  the  Secretary  and  forma- 
tion of  a  new  National  Advisory  Council  for  the  new  Office,  the  scrutiny  of  himian 
research  subjects  protections  underway  by  the  NBAC,  and  similar  studies  being  con- 
ducted by  the  lOM,  the  department's  approach  is  particularly  imtimely.  The  AAMC 
strongly  urges  the  department  to  abandon  this  ill-advised  approach  and  continue  to 
regulate  all  research  and  researchers  identically  under  the  provisions  of  the  Com- 
mon Rule. 

•  Preemption  of  State  Law:  The  AAMC  strongly  believes,  and  has  consistently 
argued,  that  the  workings  of  the  contemporary  health  care  delivery  system,  the  mo- 
bility of  American  citizens,  and  the  needs  of  medical  research,  especially  population- 
based  research,  all  call  for  federal  legislation  that  would  strongly  preempt  state  law 
(with  only  few  limited  exceptions  for  such  things  as  public  he^th  reporting)  and  es- 
tabhsh  a  single,  imiform  national  standard  of  medical  information  privacy  protec- 
tion. The  department  does  not  favor  such  "strong"  preemption,  and  in  any  event  as- 
serts correctly  that  it  does  not  have  authority  imder  HIPAA  to  impose  it  by  regula- 
tion. The  NPRM  would  estabhsh  a  federal  floor  of  protections  and  would  preempt 
only  contrary  provisions  of  state  laws  that  axe  less  stringent  than  those  imposed  by 
the  regulation.  It  would  thereby  permit  what  is  often  described  as  a  patchwork  of 
discordant  state  privacy  laws  of  variable  effectiveness  to  remain  in  place.  The 
NPRM's  lengthy  (fisquisition  on  the  interpretations  of  "contrary  to,"  "less  stringent" 
and  "more  stringent"  underscores  the  confusion  and  significant  burdens  that  the 
lack  of  a  single,  preemptive  federal  standard  will  place  on  covered  entities  whose 
professional  activities  and  business  transactions  increasingly  span  state  lines.  The 
entities  would  have  to  comply  not  only  with  the  federal  rule  but  with  the  more  strin- 
gent provisions  of  state  law  in  every  state  in  which  they  operated.  The  AAMC  is 
deeply  concerned  about  the  chaotic  business  climate  and  extraordinary  legal  ex- 
penses that  would  result  fi-om  the  imposition  of  this  regulation,  and  fears  that  as 
it  is  proposed,  it  will  be  unworkable.  The  AAMC  would  urge  the  Secretary  to  con- 
duct a  state-by-state  examination  and  certify  those  state  laws  that  she  deems 
"contary  and  more  stringent  than"  the  federal  rules.  All  other  state  laws  bearing 
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on  medical  information  privacy  would  thereby  be  deemed  to  be  preempted  by  the 
new  rule. 

Although  the  AAMC  appreciates  the  effort  that  the  HHS  has  invested  in  develop- 
ing this  proposal,  the  AAMC  feels  that  many  of  the  standards  in  the  NPRM  would 
not  in  actual  practice  serve  to  enhance  protections  of  the  privacy  and  confidentiality 
of  individuals  proportionately  to  the  burdens  and  complications  that  they  would  im- 
pose on  critical  functions  of  the  affected  entities.  In  several  instances,  the  depart- 
ment has  exceeded  the  authority  granted  to  it  under  HIPAA,  a  fact  that  underscores 
the  need  for  Congress  to  revisit  this  complex  issue  to  ensure  that  a  system  of  protec- 
tion of  individually  identifiable  health  information  is  logical,  coherent  and  nationally 
uniform,  not  needlessly  burdensome  and  costly,  and  will  neither  impede  health  care 
dehvery  nor  vital  health  research.  While  fully  supporting  the  individual's  right  to 
privacy  and  respecting  the  need  for  effective,  systemic  protections  of  the  corSiden- 
tiality  of  individually  identifiable  health  information,  the  implementation  of  the 
standards  and  procedures  imposed  by  this  NPRM  would  have  real  costs  that  far  out- 
weigh their  theoretical  benefits  and  would  serve  to  deter  legitimate  and  useful  shar- 
ing of  information  that  may  be  vital  for  treatment,  research  and  medical  education. 


Statement  of  Jane  M.  Orient,  M.D.,  Association  of  American  Physicians  and 
Surgeons,  Inc.,  Tucson,  AZ 

The  Association  of  American  Physicians  and  Surgeons  (AAPS),  founded  in  1943 
to  protect  private  medicine  and  the  patient-physician  relationship,  represents  physi- 
cians in  all  specialties  nationwide. 

Both  Congress  and  the  White  House  have  expressed  well-founded  concerns  about 
the  privacy  of  medical  records.  However,  proposed  legislation,  as  well  as  the  stand- 
ards on  "the  privacy  of  individually  identifiable  health  information"  recently  promul- 
gated by  the  Department  of  Health  and  Human  Services  as  mandated  by  the  Health 
Insurance  Portability  and  AccoimtabiHty  Act,  would  have  an  effect  opposite  to  the 
stated  intention  of  protecting  patient  confidentiality.  Both  the  proposed  regulations 
and  various  legislative  proposals  establish  procedures  permitting  and  facilitating 
the  disclosure  of  information  for  which  disclosure  is  now  either  prohibited  or  prac- 
tically impossible. 

The  objective  of  writing  standards  for  the  electronic  transmission  of  data  has  been 
subverted  into  a  pretext  for  changing  the  fundamental  ethics  of  the  patient-physi- 
cian relationship  and  the  purpose  of  medical  records. 

In  the  tradition  of  Hippocrates,  the  physician  serves  the  patient,  who  trusts  him 
to  abide  by  the  precept  that  "All  that  may  come  to  my  knowledge  in  the  exercise 
of  my  profession  or  outside  of  my  profession  or  in  daily  commerce  with  men,  which 
ought  not  to  be  spread  abroad,  I  will  keep  secret  and  never  reveal."  The  traditional 
medical  record  consists  of  the  physicians'  notes  and  other  data,  such  as  laboratory 
reports,  related  to  the  specific,  narrow  purpose  of  providing  optimal  care  to  the  indi- 
vidual patient.  The  actual  information  in  tne  record  belongs  to  the  patient,  who  tra- 
ditionally has  had  control  over  the  dissemination  of  that  information. 

The  proposed  regulations  overturn  these  basic  principles.  The  patient's  right  to 
refuse  consent  to  release  his  records  is  abrogated.  All  patients  (or  at  least  those  who 
have  any  medical  records  in  electronic  format)  are  thus  required  to  serve  adminis- 
tratively determined  societal  objectives:  "health  services  research"  as  well  as  medi- 
cal research;  the  detection  and  prosecution  of  violations  of  any  law,  rule,  or  regula- 
tion; monitoring  physician  compliance  with  practice  "guidelines — and  central  alloca- 
tion of  resources.  All  of  these  are  generally  irrelevant  to  and  may  actually  be  con- 
trary to  the  best  interests  of  the  patient.  "National  priorities,"  undefined  or  vaguely 
defined,  are  held,  at  the  discretion  of  an  administrative  agency,  to  override  the  indi- 
vidual's right  to  liberty  (as  the  liberty  to  seek  care  from  a  physician  who  guards 
patients'  privacy).  Individual  Fourth  Amendment  rights  are  easily  swept  aside  by 
assertion  of  a  collective  "need."  Vastly  expanded  administrative  powers  trump  the 
requirement  for  judicial  procedure  to  obtain  a  search  warrant. 

While  medical  professionals  wiU  be  placed  in  the  dilemma  of  violating  their  pro- 
fessional ethics  or  committing  a  federal  crime  by  not  releasing  data,  they  will  also 
be  held  responsible,  under  pain  of  prison  and  enormous  fines,  for  monitoring  behav- 
ior of  other  entities  with  which  they  contract  but  over  which  they  have  little  control. 
Additionally,  they  will  be  required  to  implement  costly  and  onerous  notification  and 
other  paperwork  requirements  that  actually  provide  no  meaningful  patient  protec- 
tion. 

In  short,  proposed  rules  and  laws  serve  the  interest  of  expanded  use  rather  than 
real  protections.  The  expanded  use  may  serve  some  narrow  special  interests  as  well 
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as  regulators  and  prosecutors  but  will  be  of  very  questionable  medical  or  scientific 
value,  especially  since  accuracy  will  be  compromised  by  the  withholding  of  sensitive 
information. 
We  recommend  the  following: 

1.  A  moratoriimi  on  the  proposed  regulations.  (Comments  submitted  to  HHS  are 
appended.) 

2.  Legislation  that  embodies  the  following  basic  principles: 

a.  The  right  of  all  Americans  to  seek  medical  treatment  outside  of  any  medical 
insurance  plan  in  which  they  may  be  enrolled  should  be  expHcitly  guaranteed  espe- 
cially (but  not  exclusively)  if  the  plan  requires  electronic  data  storage  or  trans- 
mission as  a  condition  of  coverage. 

2.  Electronic  data  storage  or  transmission  should  require  the  patient's  expHcit, 
fully  informed  consent  before  the  data  are  entered. 

3.  No  medical  professional  may  be  required  to  perform  any  act  that  violates  his 
conscience  as  a  condition  of  being  permitted  to  practice  his  profession  or  specialty. 

4.  Patients  should  have  a  cause  of  civil  action  against  any  individual,  including 
an  agent  of  the  government,  who  causes  him  harm  by  the  misuse  of  computerized 
data.  To  this  end,  any  electronic  data  processing  system  estabUshed  under  this  Act 
should  include  a  mechanism  for  tracking  all  individuals  who  access  identifiable 
records. 


Congress  of  the  United  States 
House  of  Representatives 

February  14,  2000 

The  Honorable  Donna  E.  Shalala 
Secretary  of  Health  and  Human  Services 
200  Independence  Ave.  SW 
Washington,  D.C.  20201 

Dear  Secretary  Shalala: 

We  are  writing  to  comment  on  the  proposed  rule  on  standards  for  privacy  of  indi- 
vidually identifiable  health  information  that  was  pubUshed  in  the  Federal  Register 
on  November  3,  1999. 

We  commend  you  for  moving  forward  swiftly  with  this  effort  and  for  the  thorough 
and  thoughtful  discussion  contained  in  the  proposed  rule.  Because  Congress  did  not 
meet  its  self-imposed  August  21,  1999,  deadUne  for  passing  medical  privacy  legisla- 
tion, the  proposed  rule  is  an  important  and  necessary  step  toward  addressing  the 
pressing  need  for  health  information  privacy  protections. 

We  beheve  that  the  proposed  rule  as  a  whole  provides  a  soUd  foundation  of  pri- 
vacy protections  that  will  improve  our  health  care  system.  It  estabhshes  strong  pri- 
vacy requirements  while  ensuring  access  to  health  information  for  important  pubUc 
interest  purposes  such  as  health  research.  However,  several  significant  gaps  in  pri- 
vacy protection  remain.  Some  gaps  relate  to  statutory  constraints  on  your  authority 
to  regulate,  including  the  lack  of  privacy  restrictions  applicable  to  entities  that  re- 
ceive individually  identifiable  health  information  but  are  not  covered  by  the  rule 
and  the  lack  of  a  private  right  of  action  that  would  enable  individuals  to  seek  re- 
dress for  privacy  violations.  Other  gaps  include  the  exclusion  from  coverage  of  cer- 
tain entities  that  provide  insurance  coverage  for  health  care  services,  and  the  lack 
of  sufficient  restrictions  on  law  enforcement  access  to  individuals'  health  informa- 
tion. 

Congress  should  work  to  pass  legislation  that  builds  on  the  proposed  rule  and  ad- 
dresses issues  the  proposed  rule  does  not  cover.  We  have  sponsored  comprehensive 
medical  privacy  legislation  that  we  believe  would  accomplish  these  goals.  We  hope 
to  continue  to  work  with  you  and  other  interested  parties  to  promote  the  passage 
of  meaningful  medical  privacy  legislation.  In  the  meantime,  we  urge  you  to  issue 
final  medical  privacy  regulations  expeditiously,  so  that  the  pubhc's  medical  records 
are  protected  as  soon  as  possible. 

The  following  are  our  comments  on  specific  aspects  of  the  proposed  rule. 

I.  SCOPE 

We  agree  with  the  approach  discussed  in  the  proposed  rule's  "Applicabihty"  sec- 
tion to  apply  privacy  protections  to  individually  identifiable  health  information  that 
has  been  transmitted  or  maintained  electronically  regardless  of  whether  the  infor- 
mation remains  in  electronic  form.  One  of  the  goals  of  Congress  in  enacting  the 
1996  Health  Insurance  PortabiUty  and  AccountabiHty  Act  (HIPAA)  was  to  provide 
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for  the  establishment  of  an  effective  privacy  protection  system  for  health  informa- 
tion. A  privacy  protection  policy  that  would  deny  access  to  health  information  when 
it  is  on  a  computer,  but  allow  access  once  the  information  is  printed  off  the  com- 
puter onto  paper  or  discussed  orally  by  those  viewing  the  computer  screen  would 
leave  gaping  holes  in  protection.  To  ensure  a  meaningful  system  of  privacy  protec- 
tion that  is  consistent  with  congressional  intent,  it  is  appropriate  and  necessary  to 
protect  health  information  that  has  been  transmitted  or  maintained  in  electronic 
form  even  where  the  information  does  not  remain  in  electronic  form. 

Nevertheless,  we  are  concerned  that  the  protections  set  forth  in  the  proposed  rule 
do  not  apply  to  health  information  that  has  never  been  maintained  or  transmitted 
electronically.  We  agree  with  your  analysis  that  a  primary  concern  of  HIPAA  was 
that  computerization  of  the  health  care  system  was  increasing  apprehension  about 
electronic  dissemination  of  health  information.  Any  comprehensive  medical  privacy 
protection  system,  however,  should  ensure  that  individuals'  identifiable  health  infor- 
mation in  any  form  will  receive  appropriate  privacy  protections.  It  should  not  be 
legal  to  sell  an  individual's  health  record  for  marketing  purposes  just  because  the 
record  happens  to  have  been  maintained  only  in  paper  form.  We  have  reviewed  your 
analysis  concluding  that  you  have  authority  to  apply  your  proposed  rule  to  records 
maintained  solely  in  paper  form  and  agree  that  you  do  have  such  authority.  We 
urge  you  to  exercise  your  full  authority  and  apply  the  proposed  rule  to  records  main- 
tained solely  in  paper  form. 

With  respect  to  the  scope  of  entities  covered  by  the  proposed  rule,  we  are  con- 
cerned that,  in  the  "Definitions"  section,  the  proposed  rule  excludes  certain  insur- 
ance entities  such  as  auto  insurers  from  the  definition  of  "health  plan"  (referencing 
29  U.S.C.  1186(c),  which  has  been  renumbered  29  U.S.C.  1191b(c)).  Under  the  pro- 
posed rule,  an  auto  insurer  that  pays  health  care  costs  associated  with  an  individ- 
ual's broken  arm  would  not  be  subject  to  federal  privacy  restrictions  regarding  the 
health  records  used  in  the  payment  transaction.  At  the  same  time,  a  health  plan 
that  pays  for  treating  the  broken  arm  would  be  subject  to  federal  privacy  restric- 
tions regarding  the  records  used  in  the  pajmient  transaction.  It  does  not  make  sense 
to  make  such  a  distinction  among  insurers  who  are  paying  for  health  care,  and  we 
do  not  believe  that  HIPAA  mandates  this  distinction  between  insurers  with  respect 
to  medical  privacy  regulations.  We  urge  you  not  to  exclude  the  types  of  insurance 
coverage  listed  in  29  U.S.C.  1191b(c)  from  the  rule  when  such  coverage  pays  the  cost 
of  medical  care. 

Further,  any  comprehensive  medical  privacy  law  should  apply  privacy  protection 
requirements  to  all  entities  that  obtain  protected  health  information.  As  you  know, 
because  statutory  constraints  limited  the  proposed  rule's  applicability  only  to  health 
plans,  health  care  providers,  and  health  care  clearinghouses,  the  proposed  rule  does 
not  reach  a  number  of  entities  that  obtain  individuals'  health  information.  This 
means  that,  under  the  proposed  rule,  a  health  researcher  could  obtain  health  infor- 
mation fi-om  a  health  care  provider  for  health  research,  and  then  disclose  it  to  mar- 
keters or  the  individual's  employer  with  no  restrictions.  We  will  continue  to  press 
for  the  passage  of  legislation  which  applies  privacy  protection  requirements  to  all 
appropriate  entities. 

II.  GENERAL  RULES 

The  proposed  rule's  sections  entitled  "Introduction  to  General  Rules"  and  "Mini- 
mum Necessary"  set  forth  basic  rules  that  are  essential  to  medical  privacy  protec- 
tion. Any  comprehensive  medical  privacy  law  should  prohibit  the  use  or  disclosure 
of  individually  identifiable  health  information  without  the  individual's  authorization 
or  specific  authorization  by  law.  Medical  privacy  law  should  also  ensure  that,  where 
use  or  disclosure  of  such  information  is  authorized,  entities  take  all  reasonable  steps 
to  use  non-identifiable  (or  de-identified)  health  information  instead  of  identifiable 
health  information.  Further,  medical  privacy  law  should  require  that  identifiable  in- 
formation will  be  used  and  disclosed  only  to  the  minimum  extent  necessary  to  ac- 
complish the  legitimate  purpose  for  which  it  was  obtained.  These  ground  niles  es- 
tablish clear  presumptions  that  use  and  disclosure  of  individually  identifiable  health 
information  will  be  limited  and  narrowly  tailored  to  legitimate  purposes.  We  are 
pleased  that  the  proposed  rule  includes  provisions  that  reflect  these  principles. 

III.  CONTENT  OF  AUTHORIZATION  FORM 

The  proposed  rule's  section  entitled  "Individual  Authorization"  establishes  nec- 
essary requirements  for  the  content  of  authorization  forms.  Authorization  forms 
should  contain  sufficient  information  to  ensure  that  individuals  can  make  informed 
authorization  decisions.  We  are  concerned  that  individuals  seeking  health  treatment 
are  vulnerable  to  requests  fi:*om  health  care  providers  and  others  to  authorize  uses 
and  disclosures  of  their  health  information  for  piuTJOses  beyond  treatment,  payment. 
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and  health  care  operations.  Individuals  in  such  a  situation  should  have  a  clear  un- 
derstanding that  their  treatment  and  pajnnent  are  not  conditioned  on  providing  au- 
thorizations to  allow  their  health  information  to  be  used  for  marketing,  by  their  em- 
ployers, or  for  other  purposes.  Individuals  also  should  be  informed  to  the  maximum 
extent  practicable  about  how  their  information  would  be  used  and  disclosed  under 
the  authorization. 

It  would  be  insufficient,  for  example,  to  seek  an  authorization  from  an  individual 
but  to  only  describe  to  the  individual  generally  what  uses  and  disclosures  are  legal. 
Rather,  individuals  should  be  informed  of  the  purposes  for  which  the  information 
is  sought  as  well  as  the  proposed  uses  and  disclosures  of  the  information.  In  addi- 
tion, the  authorization  form  itself  should  state  that  treatment  and  payment  are  not 
conditioned  on  agreeing  to  the  authorization.  The  proposed  rule  includes  such  con- 
tent requirements,  and  therefore  we  believe  that  the  authorization  content  required 
by  the  proposed  rule  will  facihtate  informed  consent. 

IV.  INDIVIDUAL  RIGHTS 

The  proposed  rule  provides  individuals  with  rights  that  are  integral  to  ensuring 
that  they  have  appropriate  information  about  and  involvement  with  their  own 
health  records.  In  the  sections  entitled  "Access  for  Inspection  or  Copying'  and 
"Amendment  or  Correction,"  the  proposed  rule  providesimportant  rights  that  enable 
individuals  to  access,  copy,  and  correct  their  own  records,  so  that  individuals  can 
have  a  remedy  when  inaccurate  information  in  their  records  is  being  used  in  trans- 
actions that  affect  them.  Further,  the  requirements  in  the  "Accounting  of  Disclo- 
sures" and  "Notice  of  Information  Practices"  sections  that  covered  entities  must  pro- 
vide individuals  with  a  notice  of  their  information  practices  and  the  opportunity  to 
review  accounting  of  certain  disclosures  are  necessary  to  ensure  that  individuals 
have  appropriate  information  about  the  uses  and  disclosures  that  occur  regarding 
their  own  health  records. 

We  request,  however,  that  you  review  your  decision  not  to  include  a  requirement 
that  covered  entities  obtain  a  signed  acknowledgment  from  individuals  stating  that 
the  individuals  have  received  the  notice  and  been  informed  of  their  rights.  Such  a 
requirement,  which  is  included  in  H.R.  1941,  legislation  introduced  by  Mr.  Condit, 
would  enhance  the  right  to  notice  set  forth  in  the  proposed  rule  by  encouraging  indi- 
viduals to  consider  carefully  their  rights  and  the  information  practices  that  affect 
them  before  providing  their  health  information  to  a  covered  entity.  An  alternative 
approach  to  encouraging  individuals  to  review  and  reflect  on  their  medical  privacy 
rights  is  to  require  that  individuals  sign  an  authorization  form  before  a  covered  en- 
tity may  disclose  their  health  information  for  any  purpose.  This  approach  is  taken 
in  H.R.  1057,  legislation  introduced  by  Mr.  Markey. 

We  recognize  the  logistical  questions  you  have  raised  regarding  exactly  how 
signed  acknowledgments  should  be  provided,  and  the  concerns  you  discuss  regarding 
requiring  authorizations  for  treatment,  payment,  and  health  care  operations  pur- 
poses. We  are  interested  in  and  look  forward  to  reviewing  the  comments  of  relevant 
parties  on  these  issues.  We  urge  you  to  continue  to  work  to  create  optimal  condi- 
tions for  ensuring  that  individuals  engage  in  meaningful  review  of  their  privacy 
rights  and  the  information  practices  of  covered  entities,  without  imposing  inappro- 
priate burdens  on  covered  entities. 

With  respect  to  the  section  entitled  "Accounting  of  Disclosures,"  we  beheve  that 
it  is  important  to  provide  individuals  with  a  means  of  learning  about  disclosures 
that  an  entity  has  made  of  their  health  information  without  imposing  unnecessarily 
burdensome  accounting  requirements  on  the  entity.  As  you  know,  the  proposed  rule 
attempts  to  balance  these  concerns  by  excluding  treatment,  payment,  and  health 
care  operations  disclosures  from  the  acco\inting  requirements.  The  rationale  behind 
the  proposed  rule's  effort  to  balance  these  concerns  is  reasonable.  We  agree  with  the 
proposed  rule's  analysis  that  individuals  generally  have  the  most  interest  in  disclo- 
sures that  they  cannot  easily  anticipate  will  be  made  with  their  health  information. 

However,  the  definitions  of  treatment,  payment,  and  health  care  operations  coyer 
a  broad  range  of  activities,  from  determination  of  coverage,  to  billing,  to  utiUzation 
review,  to  disease  management,  to  reviewing  the  competence  of  health  care  profes- 
sionals, among  many  other  activities.  Given  this  breadth,  individuals  will  not  nec- 
essarily easily  anticipate  that  their  health  information  will  be  shared  for  each  type 
of  treatment,  payment,  and  health  care  operations  activity.  Therefore,  we  are  con- 
cerned that  the  proposed  rule  may  not  provide  individuals  with  adequate  means  to 
learn  about  the  disclosures  that  have  been  made  with  their  health  information.  Ac- 
cordingly, we  request  that  you  carefully  review  whether  exclusion  of  all  treatment, 
payment,  and  health  care  operations  disclosures  from  accounting  requirements  is 
appropriate. 
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V.  UNDERWRITING 

It  is  our  understanding  that  under  current  practice,  insurers  that  seek  an  individ- 
ual's identifiable  health  information  to  conduct  underwriting  generally  first  obtain 
an  authorization  fi-om  the  individual  that  delineates  the  uses  and  disclosures  that 
the  insurer  may  make  with  the  information,  unless  the  underwriting  activity  con- 
cerns an  existing  insurance  contract.  Several  congressional  medical  privacy  propos- 
als, however,  contain  broad  language  that  would  allow  insurers  to  obtain  an  individ- 
ual's health  information  for  "underwriting"  without  obtaining  an  individual's  au- 
thorization. We  are  aware  of  no  good  policy  reason  to  encourage  in  a  federal  law 
a  change  in  current  practice  by  allowing  underwriting  without  the  patient's  permis- 
sion. 

We  therefore  are  pleased  that  the  proposed  rule  makes  clear,  in  the  section  enti- 
tled "Definitions,"  that  insurers  may  obtain  and  use  an  individual's  identifiable 
health  information  for  imderwriting  activities  without  the  individual's  permission 
only>  when  the  individual  is  enrolled  in  the  plan  conducting  the  activities  and  the 
activities  concern  an  existing  contract.  We  ask  that  you  provide  clarification,  how- 
ever, on  whether  under  the  proposed  rule,  authorization  from  the  individual  is  re- 
quired for  underwriting  activity  relating  to  a  change  in  contract  within  the  same 
health  plan,  and  whether  the  proposed  rule  diverges  fi*om  current  practice  on  this 
specific  issue. 

VI.  DISCLOSURES  FOR  HEALTH  RESEARCH  PURPOSES 

Health  research  is  critical  to  the  effective  operation  of  our  health  care  system. 
Medical  privacy  law  should  ensure  both  access  to  data  necessary  for  conducting 
health  research  and  patient  confidence  in  the  confidentiahty  of  their  health  informa- 
tion. Accordingly,  we  believe  that,  before  individually  identifiable  health  information 
is  disclosed  for  health  research,  a  board  independent  fi-om  the  entities  seeking  or 
disclosing  individually  identifiable  health  information  for  health  research  should  re- 
view the  research  and  determine  that  appropriate  privacy  protections  are  in  place. 
At  the  same  time,  there  should  be  a  means  of  ensuring  expedited  review  where  re- 
search poses  minimal  privacy  threats.  In  the  section  entitled  "Research,"  the  pro- 
posed rule  takes  a  significant  step  forward  toward  accomplishing  these  goals  by  in- 
cluding requirements  that  incorporate  elements  of  the  "Common  Rule"  standards 
that  currently  apply  to  review  of  federally  funded  research  conducted  by  institu- 
tional review  boards  (IRBs). 

With  increased  federal  restrictions  on  access  to  medical  records,  more  and  more 
entities  seeking  medical  records  are  likely  to  claim  that  they  are  engaged  in  re- 
search. Therefore,  review  committees  internal  to  such  entities  would  likely  face 
pressures  to  authorize  disclosures  that  will  advance  the  entity's  financial  interests. 
The  proposed  rule's  requirements  that  no  individual  on  the  board  reviewing  the  re- 
search can  have  a  conflict  of  interest  with  the  research  and  that  at  least  one  mem- 
ber of  the  board  cannot  be  affiliated  with  the  institution  conducting  the  research 
help  address  this  concern.  We  believe,  however,  that  the  proposed  rule  would  be  im- 
proved by  also  including  a  requirement  that  the  Secretary  certify  that  such  boards 
meet  the  rule's  criteria.  This  requirement,  which  is  contained  in  H.R.  1941,  estab- 
lishes a  third  party  mechanism  to  ensure  that  board  are  capable  of  exercising  inde- 
pendent judgment.  We  urge  you  to  incorporate  this  reqxiirement  into  the  final  rule. 

It  is  worth  noting  that  appl3ang  Common  Rule  standards  to  review  of  privately 
funded  research  is  consistent  with  the  approach  advocated  in  recent  testimony  be- 
fore the  House  Subcommittee  on  Health  and  Environment  of  the  Committee  on 
Commerce  by  both  members  and  chairs  of  IRBs  and  representatives  of  individuals 
with  serious  health  conditions  who  have  a  tremendous  personal  stake  in  health  re- 
search, such  as  the  National  Breast  Cancer  CoaUtion  and  the  National  Organization 
for  Rare  Disorders.  These  witnesses  underscored  that  extending  Common  Rule  pro- 
tections to  all  health  research  not  only  would  be  practicable  but  would  benefit 
health  research.  For  example,  Dr.  Greg  Koski,  Director  of  Human  Research  Affairs 
for  Partners  Health  Care  System  in  Boston,  who  has  served  over  15  years  as  a 
member  and  chair  of  an  IRB,  stated  that  applying  Common  Rule  protections  to  pri- 
vately funded  research  would  improve  health  research  because  "by  protecting 
human  subjects  and  by  letting  them  know  that  we  are  putting  their  interests  in  the 
appropriate  priority,  there  will  be  a  greater  willingness  to  participate  in  research." 
He  also  noted  that  additional  guidance  regarding  specific  mechanisms  for  confiden- 
tiality protection  should  be  set  forth  for  IRBs. 

VII.  LAW  ENFORCEMENT 

The  provisions  in  the  proposed  rule's  section  entitled  "Law  Enforcement"  do  not 
establish  sufficient  privacy  assurances  to  individuals.  We  believe  that,  except  in 
emergency  circumstances,  disclosure  of  an  individual's  health  records  to  law  enforce- 
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ment  officials  should  only  occur  pursuant  to  a  warrant,  or  if  the  individual  has  re- 
ceived notice  of  the  proposed  disclosure  and  has  had  an  opportunity  to  challenge  the 
disclosure.  Such  an  approach,  which  is  set  forth  in  H.R.  1941,  ensures  that  law  en- 
forcement officials  do  not  have  unchecked  discretion  to  determine  the  necessity  of 
obtaining  individuals'  health  records.  The  proposed  rule  does  not  meet  this  stand- 
ard, as  it  allows  for  disclosure  of  an  individual's  personal  information  to  law  enforce- 
ment officials  pursuant  to  a  range  of  procedures,  including  a  grand  jury  subpoena, 
without  any  neutral  third  party  review  or  notice  to  the  individual. 

VIII.  JUDICIAL  AND  ADMINISTRATIVE  PROCEEDINGS 

We  are  concerned  that  the  proposed  rule,  in  the  provisions  entitled  "Judicial  and 
Administrative  Proceedings,"  would  allow  the  disclosure  of  an  individual's  health  in- 
formation for  a  judicial  or  administrative  proceeding  simply  on  the  basis  of  a  re- 
quest from  an  agency  or  a  counsel  representing  a  party  in  the  proceeding,  if  the  in- 
dividual's health  is  at  issue  in  the  proceeding.  Individuals  whose  information  is  the 
subject  of  such  a  request  should  have  notice  of  the  request  and  an  opportunity  to 
challenge  the  request.  We  ask  that  you  revise  the  proposed  rule  to  include  this  re- 
quirement. 

IX.  ENFORCEMENT 

No  matter  how  strong  federal  privacy  protections  may  be,  they  wiU  be  difficult 
to  enforce  unless  individuals  have  the  right  to  seek  redress  for  privacy  violations. 
A  private  right  of  action  is  an  essential  enforcement  tool  because  the  government 
is  not  likely  to  pursue  civil  sanctions  for  individual  violations.  Enforcement  through 
criminal  sanctions  is  also  insufficient  since  prosecutions  are  brought  selectively  and 
face  a  high  standard  of  proof.  Every  major  privacy  bill  Congress  has  enacted,  includ- 
ing the  Fair  Credit  Reporting  Act,  the  Cable  Commimications  Policy  Act,  the  Elec- 
tronic Communications  Privacy  Act,  the  Video  Privacy  Protection  Act,  and  the  Right 
to  Financial  Privacy  Act,  has  contained  a  private  right  of  action.  We  understand 
that  you  did  not  have  the  authority  to  provide  for  a  private  right  of  action,  and  we 
will  continue  to  press  to  ensure  that  Congress  passes  medical  privacy  legislation 
that  contains  this  crucial  enforcement  tool. 

X.  PREEMPTION 

We  are  pleased  that,  consistent  with  the  framework  set  forth  in  HIPAA,  the  pro- 
posed rule  would  not  preempt  state  laws  that  provide  greater  privacy  protections 
than  those  in  the  proposed  rule.  Setting  a  federal  floor  is  important  because  it  gives 
states  the  abiUty  to  enact  stronger  state  privacy  laws  in  those  circumstances  where 
they  want  to  address  issues  of  particular  concern  to  their  citizens.  For  example, 
some  states  have  enacted  privacy  laws  to  encourage  individuals  to  get  tested  or 
treated  for  communicable  diseases,  alcohol  and  drug  abuse,  and  other  conditions. 
The  "floor"  approach  also  allows  states  the  flexibility  to  protect  their  citizens  regard- 
ing specific  health  crises  or  concerns  that  we  cannot  predict  at  this  time.  We  will 
continue  to  work  to  ensure  that  any  medical  privacy  legislation  enacted  by  Congress 
establishes  a  federal  floor. 

We  recognize  that  there  may  be  questions  in  some  instances  as  to  whether  an  in- 
dividual state  law  is  more  protective  than  the  federal  law.  H.R.  1941  provides  a 
mechanism  for  addressing  such  questions  by  requiring  the  Secretary  to  give  advi- 
sory opinions  as  to  whether  a  state  law  is  more  protective.  We  are  pleased  that,  in 
the  section  entitled  "Relationship  to  State  Laws,"  the  proposed  rule  provides  a  simi- 
lar mechanism  by  allowing  states  to  request  an  advisory  opinion.  We  believe,  how- 
ever, that  any  person,  not  just  states,  should  be  able  to  seek  such  an  opinion,  and 
urge  you  to  revise  the  proposed  advisory  opinion  process  to  allow  for  such  requests. 

We  strongly  believe  that  state  laws  that  provide  greater  protections  than  the  pro- 
posed rule  should  not  be  preempted.  We  are  concerned,  however,  about  the  provision 
in  the  proposed  rule  which  states  that  the  Secretary  may  determine  that  the  pro- 
posed rule  will  not  preempt  a  state  law  if  that  state  law  is  necessary  for  "the  effi- 
ciency and  effectiveness  of  the  health  care  system."  Depending  on  how  it  is  inter- 
preted, this  vaguely  worded  provision  could  allow  a  broad  range  of  state  laws  that 
are  less  protective  than  the  proposed  rule  to  stand.  We  request  that  you  revise  this 
provision  to  ensure  that  it  does  not  become  a  wide  loophole  for  avoiding  the  pro- 
posed rule's  requirements. 

XI.  CESSATION  OF  OPERATIONS 

We  are  concerned  that  the  proposed  rule  does  not  clearly  address  whether  privacy 
protections  would  apply  to  health  records  maintained  by  a  covered  entity  once  that 
entity  has  ceased  to  do  business.  We  urge  you  to  ensure  that  health  records  have 
appropriate  protections  in  such  circumstances,  as  suggested  in  H.R.  1941  and  as  en- 
visioned in  H.R.  307,  legislation  introduced  by  Mr.  Towns. 
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XII.  CONCLUSION 


The  proposed  rule  not  only  establishes  a  strong  foundation  of  privacy  protections, 
but  it  presents  ideas  and  arguments  that  enhance  the  debate  among  parties  inter- 
ested in  medical  privacy  policy.  We  look  forward  to  reviewing  the  comments  of  oth- 
ers on  the  proposed  rule  and  your  response  to  our  comments.  We  will  work  to  en- 
sure that  Cfongress  acts  to  pass  legislation  that  incorporates  the  important  privacy 
protections  included  in  the  proposed  rule  and  addresses  areas  that  require  further 
protection. 

Sincerely, 


Members  of  Congress 


Gary  A.  Condit 
Henry  A.  Waxman 
Edward  J.  Markey 
John  D.  Dingell 
Sherrod  Brown 
Edolphus  Towns 
David  E.  Bonior 
Major  R.  Owens 
Patsy  T.  Mink 
Gene  Green 
Barney  Frank 
Lucille  Roybal-Allard 
Paul  E.  Kanjorski 
Albert  Russell  Wynn 
Fortney  Pete  Stark 
Lynn  C.  Woolsey 


William  D.  Delahunt 
Mike  Thompson 
John  F.  Tiemey 
Carlos  A.  Romero-Barcelo 
Jim  McDermott 
Janice  D.  Schakowsky 
Neil  Abercrombie 
Eleanor  Holmes  Norton 
Carolyn  B.  Maloney 
Harold  E.  Ford,  Jr. 
John  Joseph  Moakley 
James  P.  McGovem 
Dennis  J.  Kucinich 
Ellen  O.  Tauscher 
Sam  Farr 
Benard  Sanders 


cc:  U.S.  Department  of  Health  and  Human  Services 
Assistant  Secretary  for  Planning  and  Evaluation 
Attention:  Privacy-P,  Room  G-322A 
Hubert  Humphrey  Building 
200  Independence  Avenue,  SW 
Washington,  DC  20201 


February  16,  2000 

The  Honorable  Secretary  Donna  E.  Shalala 
Secretary  of  Health  and  Human  Services 
200  Independence  Avenue,  SW 
Washington,  B.C.  20201 

Dear  Secretary  Shalala: 

We  are  writing  regarding  the  proposed  rule  on  standards  for  privacy  of  individ- 
ually identifiable  health  information  that  was  published  in  the  Federal  Register 
on  November  3,  1999.  We  want  to  associate  ourselves  with  the  comments  on  the 
proposed  rule  that  were  set  forth  in  the  February  14,  2000  letter  to  you  from  Rep- 
resentatives Gary  A.  Condit,  Henry  A.  Waxman,  Edward  J.  Markey,  John  D.  Din- 
geU,  and  28  other  colleagues. 

Protecting  the  privacy  of  medical  records  is  integral  to  the  effective  operation  of 
our  health  care  system.  We  appreciate  your  efforts  on  this  important  issue  and  we 
look  forward  to  continuing  to  work  with  you,  our  colleagues,  and  others  to  advance 
appropriate  and  comprehensive  medical  privacy  protections. 

Sincerely, 

Members  of  Congress 

Gerald  D.  Kleczka  Tom  Lantos 

Donna  Christian-Christensen  Louise  Slaughter 

cc:  U.S.  Department  of  Health  and  Human  Services 
Assistant  Secretary  for  Planning  and  Evaluation 
Attention:  Privacy-P,  Room  G-322A 
Hubert  Humphrey  Building 


200  Independence  Avenue,  SW 
Washington,  DC  20201 
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Statement  of  the  Consortium  for  Citizens  with  Disabilities 

I.  General  Privacy  Concerns 

The  Consortium  for  Citizens  with  Disabihties  (CCD)  is  a  Washington-based  coaH- 
tion  of  approximately  100  national  disability,  consumer,  advocacy,  provider  and  pro- 
fessional organizations  that  advocate  on  behalf  of  54  million  children  and  adults 
with  disabilities  and  their  families  in  the  United  States.  As  advocates  for  people 
with  disabilities,  CCD  supports  strong  privacy  protections  that  give  health  care  con- 
simiers  confidence  that  their  information  will  be  used  appropriately  and  that  permit 
the  continued  viability  of  medical  research  and  delivery  of  quality  health  care. 

All  persons  who  receive  health  care  services  have  reason  to  be  concerned  with  the 
inappropriate  use  of  highly  personal  information  that  is  collected  about  them  within 
the  health  care  system.  As  a  coalition  representing  people  living  with  disabilities, 
however,  CCD's  views  on  this  issue  are  somewhat  unique.  Because  people  with  dis- 
abilities have  extensive  medical  records  and  sometimes  stigmatizing  conditions, 
such  individuals  feel  a  particular  urgency  to  ensure  that  proper  privacy  protections 
are  in  place.  At  the  same  time,  many  people  with  disabilities  interact  almost  daily 
with  the  medical  establishment  and  thus  benefit  from  a  well-run,  effective  health 
care  system.  Such  individuals  do  not  want  privacy  protection  to  reduce  the  effective- 
ness of  the  health  care  system  they  must  navigate. 

CCD  has  been  actively  involved  in  the  medical  privacy  debate,  and  believes  that 
the  desire  for  medical  privacy  and  the  desire  for  an  effective  health  care  system  are 
neither  in  conflict  with  each  other,  nor  do  they  require  "balancing"  of  one  interest 
against  another.  Rather,  establishing  privacy  protection  can  enhance  the  operation 
of  the  health  care  system,  by  increasing  individuals'  trust  and  confidence  in  that 
system.  A  national  survey  released  in  January  1999  found  that  one  in  six  Americans 
engages  in  some  form  of  "privacy  protective  behavior"  because  he  or  she  is  afraid 
of  confidentiality  breaches  regarding  sensitive  medical  information.  These  activities 
include  withholding  information  from  health  care  providers,  providing  inaccurate  in- 
formation, doctor-hopping  to  avoid  a  consolidated  medical  record,  paying  out  of  pock- 
et for  care  that  is  covered  by  insurance,  and-in  some  cases-avoiding  care  altogether. i 
None  of  this  is  good  for  either  consumers  or  the  health  care  system. 

II.  General  Approach  of  the  Proposed  Regulations 

CCD  applauded  the  President  and  the  Secretary's  action  to  release  the  proposed 
rule.  After  reviewing  the  proposal,  we  continue  to  believe  that  the  Department  of 
Health  and  Human  Services'  efforts  hold  the  potential  to  significantly  increase  pri- 
vacy protections,  and  equally  important,  provide  people  new  assurances  that  their 
deeply  personal  medical  information  will  be  used  appropriately.  We  also  believe  that 
the  proposal  provides  an  important  foundation  for  Congress  to  build  upon  in  protect- 
ing privacy  and  maintaining  quality  health  care.  We  are  particularly  pleased  that 
the  proposed  rule  would  not  pre-empt  more  protective  state  laws  and  acknowledges 
that  people  with  disabilities  and  other  sensitive  conditions  may  need  special  protec- 
tions (such  as  through  the  handling  of  psychotherapy  notes).  We  are  also  pleased 
that  the  proposed  rule  requires  covered  entities  to  contract  with  business  partners 
and  name  as  third  party  beneficiaries  individuals  whose  protected  health  informa- 
tion is  used  or  disclosed.  We  commend  the  Secretary  for  proposing  that  individuals 
be  permitted  to  access  and  copy  their  health  information.  We  are  also  pleased  that 
the  Secretary  acknowledges  the  continued  need  for  federal  legislation  to  fill  gaps  the 
Secretary  did  not  have  authority  to  cover  under  the  Health  Insurance  Portability 
and  Accountability  Act  of  1996  (HIPAA). 

While  we  acknowledge  the  leadership  of  the  President  and  Secretary  in  moving 
the  process  forward,  we  have  found  areas  in  the  proposed  rule  that  we  find  unwork- 
able or  that  need  bolstering. 


1  California  Healthcare  Foundation,  National  Survey:  Confidentiality  of  Medical  Records 
(January  1999).  The  survey  was  conducted  by  Princeton  Survey  Research  Associates.  Results  are 
available  at  www.chci.org/conference/survey.crfm. 
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ni.  The  Secretary's  Authority  Under  HIPAA 

The  delegation  under  HIPAA  limited  the  Secretar/s  authority  in  three  important 
areas.  The  Secretary  only  had  authority  to  cover  health  plans,  health  clearinghouses 
and  certain  health  care  providers,  and  information  transmitted  or  maintained  elec- 
tronically. HIPAA  also  did  not  provide  a  private  right  of  action  for  individuals  whose 
health  information  has  been  improperly  used  or  disclosed.  We  encourage  Congress 
to  enact  legislation  to  fill  these  gaps. 

A.  Covered  Entities 

While  the  Secretary  covered  entities  permitted  under  HIPAA,  imfortunately, 
many  entities  (such  as  life  insurers,  employers  and  marketing  firms)  that  receive, 
use  and  disclose  protected  health  information  are  not  required  to  comply  with  the 
regulations.  We  believe  that  directly  covering  these  entities  is  necessary  to  ade- 
quately protect  patient  privacy.  While  we  believe  that  entities  who  receive  informa- 
tion should  be  directly  covered  at  the  federal  level,  we  commend  the  Secretary  for 
acting  within  the  limits  of  HIPAA  and  constructing  the  business  partner  rules  to 
cover  entities  who  regularly  use  and  disclose  protected  health  information. 

B.  Covered  Information 

As  part  of  administrative  simplification,  HIPAA  hmited  the  Secretary's  authority 
to  protect  only  information  transmitted  or  maintained  electronically.  While  the  Sec- 
retary discusses  her  authority  at  length,  we  are  concerned  that  people  with  disabil- 
ities may  be  reluctant  to  seek  care  or  to  honestly  discuss  sensitive  health  conditions 
if  all  of  their  health  information  is  not  confidential.  Privacy  is  especially  important 
to  people  with  disabilities  because  they  may  have  stigmatizing  conditions  which,  if 
disclosed,  could  result  in  discrimination  and  embarrassment.  Because  of  the  com- 
plexity of  the  health  care  system,  most  patients  will  never  know  what  information, 
if  any,  is  stored  electronically.  Even  if  patients  are  able  to  determine  what  informa- 
tion is  maintained  electronically,  they  will  likely  fear  that  some  portion  is  in  paper 
format.  Without  privacy  protection  for  all  health  information,  people  with  disabil- 
ities will  be  reluctant  to  discuss  their  condition.  We  know  that  this  leads  to  bad 
health  outcomes  and,  in  some  cases,  would  cause  people  to  forego  medical  care  en- 
tirely. The  only  way  to  ensure  patient  confidence  in  the  health  care  system  is  to 
make  the  proposed  rule  applicable  to  all  information. 

C.  Private  Right  of  Action 

Under  the  proposed  rule,  individuals  whose  protected  health  information  has  been 
improperly  used  or  disclosed  will  have  no  recourse.  While  we  recognize  that  the  Sec- 
retary did  not  have  authority  under  HIPAA  to  create  a  private  right  of  action,  we 
strongly  believe  that  Congress  should  enact  legislation  to  fill  this  important  gap. 
Many  federal  privacy  statutes  have  private  right  of  action  provisions  including  the 
Privacy  Act  of  1974  (5  U.S.C.  552a),  Electronic  Communications  Privacy  Act  (18 
U.S.C.  2701  et  seq.).  Right  to  Financial  Privacy  Act  (12  U.S.C.  3401  et  seq.).  Fair 
Credit  Reporting  Act  (15  U.S.C.  1681  et  seq.),  Cable  Communications  Act  (47  U.S.C. 
551),  Videotape  Privacy  Protection  Act  (18  U.S.C.  2710)  and  the  Driver's  Privacy 
Protection  Act  (18  U.S.C.  2721  et  seq.). 

IV.  Important  Areas  Where  the  Regulation  Could  Be  Improved 

While  we  have  many  concerns  with  the  proposed  rule,  we  beUeve  that  the  rule 
provides  greater  protections  than  exist  today  and  is  an  important  foundation  upon 
which  to  build.  \^niile  we  have  submitted  comprehensive  comments  to  the  Secretary, 
we  have  highlighted  five  important  areas  for  people  with  disabilities,  and  believe, 
at  a  minimum,  the  following  changes  are  necessary:  (1)  require  covered  entities  to 
obtain  a  written  authorization  prior  to  using  or  disclosing  protected  health  informa- 
tion for  treatment,  payment  and  health  care  operations,  (2)  require  entities  to  obtain 
authorization  prior  to  commimicating  with  the  individual  about  sensitive  health  con- 
ditions, (3)  require  covered  entities  to  first  determine  whether  de-identified  informa- 
tion can  be  used  to  accomplish  the  purpose  of  the  use  or  disclosure,  (4)  prohibit  dis- 
closure of  protected  health  information  for  law  enforcement  purposes  without  a  war- 
rant fi:'om  a  neutral  judicial  officer,  and  (5)  extend  protections  of  the  regulations  to 
all  individually  identifiable  health  information. 

A.  Signed  Authorization  for  Treatment,  Payment  and  Health  Care  Oper- 
ations 

(Section  164.506  Uses  and  disclosures  of  protected  health  information:  general 
rules) 

The  proposed  rule  permits  covered  entities  to  use  and  disclose  protected  health 
information  for  treatment,  payment  and  health  care  operations  without  individual 
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authorization.  A  signed  authorization  from  the  individual  is  extremely  important. 
This  issue  was  addressed  at  length  by  the  Health  Privacy  Working  Group,  a  panel 
comprised  of  diverse  stakeholders  including  disability  and  mental  health  advocates, 
health  plans,  providers,  employers,  standards  and  accreditation  representatives,  and 
experts  in  public  health,  medical  ethics,  information  systems  and  health  policy.  See 
Best  Principles  for  Health  Privacy,  a  Report  of  the  Health  Privacy  Worlang  Group 
(July  1999).  This  diverse  group  noted  that,  as  a  general  rule,  requiring  patient  au- 
thorization prior  to  disclosure  can: 

•  bolster  patient  trust  in  providers  and  health  care  organizations  by  acknowledg- 
ing the  patient's  role  in  health  care  decisions; 

•  serve  as  recognition  that  notice  was  given  and  the  patient  was  aware  of  the 
risks  and  benefits  of  disclosure;  and 

•  define  an  "initial  moment"  in  which  patients  can  raise  questions  about  privacy 
concerns  and  learn  more  about  options  available  to  them. 

We  find  the  Secretar/s  proposed  rule  extremely  troublesome  because  it  does  not 
require  patient  authorization,  and  in  fact,  prohibits  covered  entities  from  obtaining 
authorizations  unless  required  by  State  law.  Unless  the  current  regulatory  author- 
ization for  treatment,  payment  and  health  care  operations  is  modified,  CCD  would 
oppose  implementation  of  this  rule.  In  a  world  of  managed  care,  the  Administration 
and  many  health  and  consumer  interests  have  been  dedicated  to  shifting  popular 
culture  to  embrace  the  concept  of  the  "empowered  patient."  Many  observers  believe 
that  the  best  way  to  make  managed  care  work  is  for  patients  to  become  self-advo- 
cates, active  in  working  the  system  so  they  get  the  care  they  need.  Dismantling  the 
current  authorization  system  runs  counter  to  this  approach.  The  Secretary's  ap- 
proach disempowers  patients  by  taking  away  their  ability  to  actively  control  access 
to  their  own  protected  health  information. 

Patients  should  be  encouraged  to  be  active  participants  in  their  own  health  care- 
and  the  authorization  process  should  be  an  integral  piece  of  that  picture.  A  signed 
authorization  provides  a  unique  opportunity  for  the  individual  to  imderstand  the 
uses  and  disclosures  of  her  health  information.  This  process  will  increase  individual 
awareness  of  the  risks  and  benefits  of  such  uses  and  disclosures.  While  the  Sec- 
retary states  that  individuals  are  not  hkely  to  know  "all  the  possible  uses,  disclo- 
sures, and  re-disclosures  to  which  their  information  will  be  subject,"  individuals 
should  be  informed,  to  the  extent  practicable,  of  how  information  will  be  used  and 
to  whom  it  may  be  disclosed.  See  64  Fed.  Reg.  59918,  59940  (Nov.  3,  1999).  A  signed 
authorization  will  give  individuals  an  opportunity  to  review  the  authorization  and 
create  an  "initial  moment"  in  which  the  patient  can  address  her  privacy  concerns. 
When  discrepancies  between  an  individual's  privacy  concerns  and  the  covered  enti- 
ty's use  and  disclosure  of  information  arise,  the  signed  authorization  will  provide 
an  opportunity  for  the  individual  to  ask  questions  about  how  her  information  will 
be  used  and  disclosed. 

The  Secretary  states  three  reasons  for  not  adopting  a  signed  authorization  ap- 
proach: (1)  authorizations  provide  individuals  with  little  actual  control  over  their 
health  information,  (2)  consent  is  often  not  voluntary  because  the  individual  must 
sign  the  form  as  a  condition  of  treatment  or  payment,  and  (3)  individuals  are  often 
asked  to  sign  broad  authorizations  but  are  provided  little  or  no  information  about 
how  their  health  information  will  be  used.  64  Fed.  Reg.  59918,  59940  (1999). 

We  find  the  Secretary's  rationale  troubling.  The  Secretary  has  the  authority  to  im- 
prove the  current  authorization  process  but  states  current  problems  as  the  reason 
not  to  empower  patients.  Even  if  the  Secretary  chooses  not  to  empower  patients,  her 
rationale  that  authorizations  provide  individuals  with  little  actual  control  and  con- 
sent is  often  not  voluntary  does  not  consider  the  importance  of  the  "initial  moment." 
As  discussed  above,  this  moment  gives  individuals  the  chance  to  learn  about  the  use 
and  disclosure  of  her  information  and  ask  questions,  voice  concerns  or  negotiate,  if 
possible.  The  Secretary's  rationale  also  fails  to  consider  the  reality  of  receiving  medi- 
cal treatment  for  sensitive  conditions.  We  know  that  for  stigmatizing  conditions, 
such  as  HIV  or  sexually  transmitted  diseases,  individuals  exercise  control  by  fore- 
going treatment  or  choosing  to  self-pay  for  specific  services  under  an  assumed  name. 
Authorizations  would  help  these  individuals  learn  more  about  the  use  and  disclo- 
sure of  their  information  so  they  can  feel  comfortable  receiving  treatment  £uid  pro- 
viding accurate  information  to  providers. 

Because  many  covered  entities  currently  obtain  signed  authorizations,  there 
would  be  httle,  if  any,  additional  administrative  burden.  See  64  Fed.  Reg.  59918, 
59940  (1999).  We  see  no  reason  to  reduce  current  protections  afforded  to  consimiers. 
As  covered  entities  increase  communications  with  individuals,  provide  individuals 
with  opportunities  to  understand  how  their  information  is  being  used  and  disclosed, 
and  allow  individuals  to  negotiate,  individuals  will  feel  that  they  have  more  control 


128 

over  their  health  care  decisions.  These  simple  but  important  changes  will  likely  im- 
prove the  public's  perception  of  the  health  care  system. 

B.  Individual  Authorization  for  Sensitive  Health  Conditions 

(Section  164.508  Uses  and  disclosures  for  which  individual  authorization  is  re- 
quired) 

Requiring  entities  to  obtain  authorization  from  an  individual  before  communicat- 
ing with  the  individual  about  sensitive  health  conditions  is  also  very  important.  Peo- 
ple with  disabiUties  who  seek  sensitive  health  care  services  have  heightened  concern 
that  their  medical  condition  or  treatment  may  be  inadvertently  disclosed  to  others 
such  as  roommates,  house  mates,  family  members,  neighbors,  employers  or  others 
who  may  want  to  cause  harm. 

Covered  entities  should  be  required  to  protect  against  inadvertent  disclosures  of 
protected  health  information  concerning  sensitive  health  care  services  [defined  as 
services  relating  to  reproductive  health,  sexually  transmissible  diseases  (whether  or 
not  transmitted  in  any  particular  case),  substance  abuse,  or  mental  health]  by  ob- 
taining the  individual's  authorization  prior  to  communicating  with  the  individual  (or 
the  policyholder). 

Sensitive  health  care  services  often  involve  the  most  personal  health  care  deci- 
sions. Individuals  with  sensitive  health  conditions  face  unique  confidentiaUty  con- 
cerns because  they  are  the  most  likely  to  suffer  discrimination  or  stigmatization  as- 
sociated with  such  conditions.  It  is  very  important  that  people  with  disabiUties  who 
have  sensitive  conditions  be  able  to  control  where  and  how  information  about  sen- 
sitive conditions  is  communicated  to  them.  For  example,  a  person  living  with  HIV 
may  want  to  ensure  that  a  covered  entity  does  not  send  any  information  about 
health  services  to  her  work  address  because  she  fears  her  employer  or  co-worker 
may  discriminate  against  her. 

We  believe  that  covered  entities  should  be  required  to  obtain  authorization  from 
the  individual  prior  to  all  communications  with  the  individual  regarding  sensitive 
health  care  services.  All  communications  with  the  individual  should  be  protected  be- 
cause it  is  very  difficult  to  determine  exactly  where  in  the  chain  of  communication 
an  individual's  information  could  result  in  stigmatization,  discrimination,  retaliation 
or  other  harm. 

The  Secretary  acknowledged  in  her  prefatory  language  that  covered  entities  al- 
ready have  the  ability  to  implement  and  track  patient  authorizations.  64  Fed.  Reg. 
59918,  59946  (1999).  Furthermore,  the  regulations  require  authorizations  for  (1) 
uses  and  disclosures  other  than  treatment,  payment  and  health  care  operations,  (2) 
uses  and  disclosures  of  psychotherapy  notes,  and  (3)  uses  and  disclosures  for  re- 
search unrelated  to  treatment.  Because  an  authorization  framework  is  in  place,  we 
do  not  believe  that  an  authorization  for  sensitive  health  conditions  would  be  a  sig- 
nificant burden. 

C.  De-identified  Information 

(Section  164.506(b)(1)  Standard:  minimum  necessary) 

We  strongly  believe  that  entities  should  first  be  required  to  determine  whether 
de-identified  information  can  be  used  or  disclosed  to  accompUsh  the  intended  pur- 
pose. While  we  agree  with  the  Secretar/s  general  approach  that  entities  use  or  dis- 
close only  the  minimum  amount  necessary,  we  believe  that  a  clear  statement  that 
entities  must  first  consider  de-identified  information  is  the  only  way  to  ensure  that 
the  minimum  amount  standard  is  adequately  implemented. 

Requiring  entities  to  use  and  disclose  de-identified  information  will  help  ensure 
that  only  the  minimum  amount  will  be  used.  Presumably,  de-identified  information 
is  part  of  the  minimum  amount  necessary  evaluation.  While  proposed  section 
164.506(d)  defines  de-identified  protected  health  information,  it  is  unclear  when,  if 
at  aU,  an  entity  must  use  de-identified  information. 

We  believe  that  a  de-identified  requirement  is  consistent  with  the  Secretary's  pro- 
posed minimum  amount  requirement.  In  fact,  in  the  prefatory  language  to  the  mini- 
mum amount  requirement,  the  Secretary  notes  that  stripping  individually 
indentifiable  information  of  identifiers  is  currently  used  for  analytical,  statistical 
and  research  purposes.  64  Fed.  Reg.  59918,  59946  (1999). 

While  the  Secretary  states  that  section  164.506(d)  is  intended  to  permit  important 
research  to  continue,  certainly  there  are  benefits  to  requiring  all  covered  entities  to 
consider  de-identified  information.  Requiring  entities  to  consider  de-identified  infor- 
mation will  hmit  the  ability  of  all  recipients  to  link  the  information  to  individuals. 

D.  Law  Enforcement 

(Section  164.510(f)  Disclosures  for  law  enforcement  purposes) 
We  are  also  very  concerned  about  the  Secretary's  proposed  section  164.510(f). 
Under  the  proposed  rule,  people  with  disabilities  may  have  their  health  information 
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disclosed  to  law  enforcement  officials  without  any  legal  process.  We  urge  the  final 
regulation  require  law  enforcement  to  obtain  legal  process-such  as  a  warrant  or 
court  order-that  is  judicially-approved  after  application  for  a  Fourth  Amendment 
probable  cause  standard. 

These  same  requirements  exist  in  other  federal  privacy  statutes  protecting  peo- 
ples' communications,  cable  subscriber  records  and  even  video  rental  lists.  None  of 
these  laws  are  absolute  bars  to  law  enforcement  access.  The  procedural  safeguards 
ensure  that  accoimtability  and  oversight  prevent  imwarranted  and  unjustified  abuse 
of  authority. 

E.  Paper  Records 

(Section  164.502  Applicability) 

As  discussed  above,  as  part  of  administrative  simplification,  the  Secretary's  au- 
thority was  limited  to  information  electronically  maintained  or  transmitted.  We  are 
concerned  that  people  with  disabilities  may  be  reluctant  to  seek  care  or  honestly  dis- 
cuss their  health  condition  if  all  of  their  health  information  is  not  confidential.  Pri- 
vacy is  especially  important  to  those  with  disabilities  because  if  information  about 
their  disability  or  condition  is  disclosed  they  may  suffer  discrimination,  embarrass- 
ment or  stigmatization.  Because  of  the  complexity  of  the  health  care  system,  most 
patients  will  never  know  what  information,  if  any,  is  stored  electronically.  Even  if 
patients  are  able  to  determine  what  information  is  maintained  electronically,  they 
will  likely  fear  that  some  portion  is  in  paper  format.  Without  privacy  protection  for 
all  health  information,  persons  with  disabilities  may  not  disclose  their  health  condi- 
tion. The  only  way  to  ensure  patient  confidence  in  the  health  care  system  is  to  make 
the  proposed  rule  applicable  to  all  information. 

IV.  Conclusion 

We  beheve  that  the  proposed  rule  provides  an  important  foundation  to  protect  pa- 
tient privacy  and  maintain  quaHty  health  care.  We  commend  the  Secretary  for  not 
preempting  more  protective  state  laws,  acknowledging  that  sensitive  information 
needs  special  protection,  constructing  business  partner  rules  and  permitting  individ- 
uals to  inspect  and  copy  their  health  information.  We  encourage  Congress  to  enact 
legislation  to  build  upon  these  important  regulations  and  to  fill  gaps  left  by  HIPAA. 


Statement  of  the  Family  Violence  Prevention  Fund,  San  Francisco,  CA 

I.  General  Privacy  Concerns 

The  Family  Violence  Prevention  Fimd  (FVPF)  is  a  leading  national  organization 
that  advocates  on  behalf  of  the  millions  of  women  and  children  who  are  victims  of 
domestic  violence  each  year.  The  FVPF  runs  several  major  programs  that  deal  spe- 
cifically with  health  care  and  its  response  to  domestic  violence,  including  the  na- 
tional resource  center  on  health  care  and  domestic  violence.  As  advocates  for  domes- 
tic violence  victims,  the  FVPF  supports  strong  privacy  protections  that  will  give  vic- 
tims confidence  that  their  personal  information  will  be  used  appropriately. 

Almost  onethird  of  American  women  report  being  a  victim  of  domestic  violence  at 
some  point  in  their  lives.  The  health  care  system  is  playing  an  increasingly  impor- 
tant role  in  responding  to  battered  women  by  identifying  and  documenting  abuse 
and  connecting  victims  with  domestic  violence  advocates  and  services.  Privacy  of 
health  information  is  critical  to  the  safety  and  wellbeing  of  millions  of  women  and 
children  who  suffer  harm  from  domestic  violence  and  abuse  each  year.  Strong  pri- 
vacy protections  that  take  into  consideration  the  concerns  of  domestic  violence  vic- 
tims will  encourage  victims  to  discuss  their  injuries  and  feel  safe  knowing  that  their 
information  will  remain  confidential. 

A  victim  is  often  concerned  about  privacy  because  she  fears  that  her  perpetrator 
will  discover  that  she  has  discussed  the  abuse  with  her  provider.  A  perpetrator  who 
learns  that  his  victim  has  told  her  provider  about  the  domestic  violence  could  resort 
to  further  abuse.  Because  victims  fear  that  their  health  information  will  not  remain 
confidential,  many  may  be  reluctant  to  discuss  the  violence  openly  and  honestly. 

In  order  to  protect  victims,  many  providers  do  not  docimient  domestic  violence  be- 
cause they  also  fear  the  perpetrator  could  access  the  victim's  health  information  and 
cause  additional  harm.  Providers  who  discover  but  do  not  document  domestic  vio- 
lence run  the  risk  that  later  treating  providers  will  not  know  the  history  of  violence 
and  misdiagnose  the  victim.  Providers  who  do  not  document  violence  could  also  re- 
duce the  victim's  chance  of  success  in  legal  proceedings  against  her  perpetrator.  A 
complete  medical  record  that  fiilly  documents  injuries  and  subsequent  health  com- 
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plications  from  the  abuse  can  be  introduced  as  compelling  evidence  to  corroborate 
the  victim's  testimony.  Without  this  corroborative  evidence,  victims  would  need  to 
introduce  other,  less  persuasive  evidence  which  could  hinder  the  victim's  chance  of 
success.  Providers  who  know  that  information  will  remain  confidential  are  more 
likely  to  engage  the  patient,  encourage  the  patient  to  discuss  violence  openly  and 
feel  comfortable  providing  a  complete  record. 

For  a  victim  who  chooses  to  be  open  and  honest,  privacy  concerns  only  begin  when 
she  discusses  the  violence  with  her  provider.  Any  communication  with  the  victim 
at  home,  including  a  bill,  email  or  telephone  call  to  confirm  an  appointment,  in- 
creases the  likelihood  that  the  perpetrator  will  intercept  the  information.  Individ- 
uals who  are  concerned  about  their  safety  should  be  permitted  to  give  providers  a 
telephone  number  and  address  where  the  victim  feels  comfortable  that  the  perpetra- 
tor will  not  discover  that  she  has  sought  treatment. 

While  the  Secretary's  proposed  regulations  are  an  important  foundation  and  in- 
clude some  measures  of  protection  for  victims  of  domestic  violence  they  fall  short 
of  providing  the  level  of  privacy  safeguards  that  are  necessary  to  protect  victims. 
We  have  submitted  comprehensive  recommendations  to  the  Secretary  which  we  be- 
lieve are  essential  for  improving  the  health  care,  safety  and  well-being  of  domestic 
violence  victims.  Without  these  protections,  victims  of  domestic  violence  will  receive 
inadequate  health  care  services,  be  less  able  to  pursue  effective  legal  recourse,  and 
potentially  be  exposed  to  further  violence. 

n.  The  Proposed  Regulations 

The  FVPF  believes  that  the  Secretary's  proposed  regulations  have  the  potential 
to  improve  the  quahty  of  care  for  victims  of  domestic  violence  by  establishing  an 
important  foundation  that  personal  medical  information  will  remain  confidentisil. 
This  assurance  of  confidentiahty  will  hkely  encourage  victims  to  seek  treatment  and 
promote  open  and  honest  communication  between  doctor  and  patient. 

We  are  particularly  pleased  that  the  proposed  regulations  provide  individuals  ac- 
cess to  their  own  health  information,  require  notice  to  patients  of  confidentiahty 
practices  and  do  not  preempt  more  protective  state  laws.  We  commend  the  Secretary 
for  constructing  business  partner  rules  which  require  covered  entities  to  contract 
with  business  partners  to  whom  protected  health  information  is  disclosed.  We  also 
commend  the  Secretary  for  acknowledging  the  continuing  need  and  importance  of 
comprehensive  federal  legislation. 

III.  The  Secretary's  Authority  Under  HIPAA 

Under  HIPAA,  the  Secretary  only  had  authority  to  cover  health  plans,  health 
clearinghouses  and  certain  health  providers.  The  Secretary's  authority  as  part  of  ad- 
ministrative simphfication  was  also  arguably  limited  to  electronically  stored  or 
transmitted  information  and  did  not  include  the  authority  to  establish  a  private 
right  of  action.  While  we  believe  that  the  regulations  provide  an  important  foimda- 
tion  for  privacy  protections,  we  strongly  encourage  Congress  to  fill  the  gaps  left  by 
HIPAA. 

A.  Covered  Entities 

Acting  under  the  delegation  in  HIPAA,  the  Secretary's  regulations  fall  short  of 
covering  all  entities  that  receive,  use  and  disclose  protected  health  information.  Leg- 
islation is  needed  to  protect  information  received  by  all  entities  such  as  insurance 
companies,  marketing  firms  and  employers.  Without  covering  these  entities,  victims 
of  domestic  violence  could  be  subject  to  discrimination  if  an  insurance  company  or 
employer  were  to  use  the  information  improperly. 

B.  Covered  Information 

While  administrative  simplification  under  HIPAA  arguably  limited  the  Secretary's 
authority  to  cover  only  electronic  information,  we  believe  that  privacy  protections 
should  include  all  protected  health  information.  By  protecting  only  electronic  infor- 
mation, the  same  concerns  about  patient  confidence  that  exist  today  will  continue, 
and  many  patients  will  remain  reluctant  to  discuss  sensitive  health  information, 
even  for  treatment.  Because  of  the  complexity  of  the  health  care  system,  most  pa- 
tients will  never  know  what  information  if  any,  is  stored  electronically.  We  are  espe- 
cially concerned  that  many  domestic  violence  victims  will  continue  to  hide  the  real 
cause  of  their  injuries  because  they  fear  for  their  safety.  Even  if  patients  are  able 
to  determine  what  information  is  maintained  electronically,  they  will  hkely  fear  that 
some  portion  of  the  information  is  in  paper  format. 
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C.  Enforcement  and  Private  Right  of  Action 

HIPAA  only  permitted  the  Secretary  to  impose  civil  and  criminal  penalties  for  vio- 
lating privacy  standards.  In  order  to  provide  basic  privacy  protections  afforded  to 
individuals  under  other  federal  privacy  statutes,  Congress  should  enact  legislation 
that  permits  individuals  to  bring  a  private  right  of  action. 

The  civil  and  criminal  penalties  in  HIPAA  are  not  sufficient  to  ensure  that  those 
who  inappropriately  use  or  disclose  information  or  fail  to  adopt  adequate  safeguards 
comply  with  the  regulation.  We  are  concerned  that  Congress  has  not  recognized  the 
need  for  a  private  right  of  action  with  regard  to  medical  information.  Many  other 
federal  privacy  laws  have  private  right  of  action  provisions  such  as  the  Privacy  Act 
of  1974  (5  U.S.C.  552a),  Electronic  Communications  Privacy  Act  (18  U.S.C.  2701  et 
seq.),  Fair  Credit  Reporting  Act  (15  U.S.C.  1681  et  seq.).  Cable  Communications  Act 
(47  U.S.C.  551),  Videotape  Privacy  Protection  Act  (18  U.S.C.  2710)  and  the  Driver's 
Privacy  Protection  Act  (18  U.S.C  2721  et  seq.).  Certainly,  highly  personal  health  in- 
formation deserves  the  same  protections  afforded  to  other  information. 

IV.  Brief  Summary  of  Recommended  Changes  to  the  Proposed  Rule 

Although  we  have  many  concerns  with  the  proposed  rule,  we  believe  that  the  rule 
provides  greater  protections  than  exist  toady  and  provides  an  important  foundation 
upon  which  to  build.  While  we  have  submitted  comprehensive  comments  to  the  Sec- 
retary, the  following  is  a  brief  summary  of  our  recommended  changes  to  the  pro- 
posed rule. 

A.  Applicability 

We  believe  that  the  regulation  should  apply  to  health  information  in  both  elec- 
tronic and  paper  format.  By  only  covering  electronic  information,  the  same  concerns 
about  patient  confidence  that  exist  today  will  continue,  and  many  patients  will  re- 
main reluctant  to  discuss,  even  for  treatment,  sensitive  health  information.  Because 
of  the  complexity  of  the  health  care  system,  most  patients  will  never  know  what  in- 
formation, if  any,  is  stored  electronically.  We  are  especially  concerned  that  many  do- 
mestic violence  victims  will  continue  to  hide  the  real  cause  of  their  injuries  because 
they  fear  for  their  safety.  Even  if  patients  are  able  to  determine  what  information 
is  maintained  electronically,  they  will  likely  fear  that  some  portion  of  the  informa- 
tion is  in  paper  format.  The  only  way  to  ensiu-e  patient  confidence  in  the  health  care 
system  is  to  make  the  proposed  rules  applicable  to  all  information. 

B.  Definitions 

We  agree  with  the  Secretary's  proposed  rule  that  a  minor  who  lawfully  obtains 
health  care  services  on  his  or  her  own  exercises  the  rights  of  an  individual  under 
the  proposed  rule.  For  victims  of  domestic  violence  or  abuse  who  are  minors,  this 
provision  would  guarantee  that  family  members  who  are  perpetrators  could  not  ac- 
cess information  (see  also  comments  for  Directory  Information  and  Next  of  Kin).  We 
are  also  concerned  about  minors  who  may  suffer  due  to  well-meaning  but  inappro- 
priate parental  intervention.  For  example,  a  daughter  who  is  abused  by  her  boy- 
friend may  fear  that  if  her  parents  discover  the  abuse,  they  will  confi:'ont  her  abu- 
sive boyfriend  in  a  cursory  or  inappropriate  manner.  As  a  result,  the  boyfriend  could 
resort  to  retaliation  and  further  violence. 

C.  Treatment,  Payment  and  Health  Care  Operations 

We  strongly  believe  that  covered  entities  should  be  required  to  get  individual  au- 
thorization in  order  to  use  or  disclose  protected  health  information  for  treatment, 
payment  and  health  care  operations.  While  the  Secretary  states  that  such  an  au- 
thorization is  meaningless  because  individuals  must  sign  the  authorization  in  order 
to  receive  treatment,  authorizations  themselves  are  very  important  because  they  are 
an  "initial  moment"  in  which  patients  can  raise  questions  about  privacy  concerns 
and  learn  more  about  options  available  to  them.  For  many  domestic  violence  victims 
who  are  concerned  about  further  violence,  this  initial  moment  will  help  create  con- 
fidence that  their  information  will  be  used  only  for  specified  purposes. 

Providers  disclosing  information  for  consultation  or  referral  should  be  required  to 
verify  who  is  requesting  protected  health  information.  We  are  concerned  that  vic- 
tims of  domestic  violence  who  receive  specialized  care  (such  as  reproductive  or  men- 
tal health  services)  may  have  their  information  improperly  disclosed  to  the  perpetra- 
tor. Under  the  proposed  regulations,  a  provider  who  renders  specialized  services 
would  not  be  required  to  consult  the  patient  before  disclosing  information  or  even 
verify  who  has  requested  the  information.  We  are  concerned  that  perpetrators  could 
successfully  obtain  information  by  using  the  proposed  rule  under  false  pretenses. 

The  regulations  should  require  a  covered  entity  to  protect  against  inadvertent  dis- 
closures of  protected  health  information  concerning  sensitive  health  care  services 
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(defined  as  services  relating  to  reproductive  health,  sexually  transmitted  diseases, 
substance  abuse,  and  mental  health)  by  obtaining  an  individual's  authorization 
prior  to  communicating  with  the  individual  at  the  individual's  home  (whether  by 
phone  or  mail).  Individuals  seeking  sensitive  health  care  services  have  a  heightened 
concern  that  information  about  their  medical  condition  or  treatment  may  be  inad- 
vertently disclosed  to  others  in  their  household,  such  as  roommates,  housemates,  or 
family  members.  The  authorization  should  specifically  ask  whether  the  provider  or 
plan  can  call  the  individual  at  home,  send  communications  via  email  to  the  individ- 
ual's home,  or  send  bills  to  the  individual's  home.  If  the  individual  does  not  author- 
ize these  communications,  the  individual  should  provide  on  the  authorization  form 
a  phone  number  or  an  address  for  such  communications  and  must  indicate  how  pay- 
ment will  be  arranged  if  payment  is  due. 

D.  Minimum  Necessary 

We  strongly  beheve  that  entities  should  first  be  required  to  determine  whether 
de-identified  information  can  be  used  or  disclosed  to  accomplish  the  intended  pur- 
pose. While  the  proposed  rule  requires  that  entities  use  only  the  minimum  amount 
of  information  necessary,  the  rule  does  not  require  the  use  of  de-identified  informa- 
tion. We  believe  that  a  clear  statement  that  entities  must  first  consider  de-identified 
information  is  the  only  way  to  ensure  that  the  minimum  amount  necessary  standard 
is  adequately  implemented. 

We  also  strongly  believe  that  when  an  entity  discloses  information  at  the  individ- 
ual's request,  only  the  minimum  amount  necessary  should  be  disclosed,  unless  the 
individual  has  indicated  otherwise.  A  victim  may  authorize  a  provider  to  disclose  in- 
formation to  a  ftiend  or  family  member  in  order  to  discuss  her  present  course  of 
treatment.  Under  the  proposed  rule,  a  provider  could  disclose  the  victim's  entire 
medical  history  including  information  about  domestic  violence  the  victim  may  have 
intended  to  remain  confidential. 

Where  disclosure  is  not  pursuant  to  a  court  order,  we  strongly  recommend  that 
only  the  minimum  amount  of  information  necessary  to  respond  to  the  request  be 
disclosed  in  judicial  and  administrative  proceedings.  While  we  recognize  that  liti- 
gants may  need  to  access  information,  we  are  concerned  that  covered  entities  who 
disclose  information  would  prefer  to  disclose  all  information  rather  than  redact  sen- 
sitive information.  Unnecessary  disclosure  could  occur  under  a  number  of  scenarios, 
including  a  subpoena  in  a  personal  injury  lawsuit  where  the  victim  gave  a  history 
of  prior  abuse  at  the  provider's  request.  While  some  providers,  plans  or  parties  may 
choose  to  redact  the  information,  some  may  not — thereby  disclosing  sensitive  per- 
sonal information.  If  the  holder  of  information  is  unclear  what  information  is  being 
requested,  the  entity  should  request  clarification  and  should  only  disclose  that  infor- 
mation which  is  necessary.  While  the  Secretary's  preamble  raises  practical  concerns 
about  applying  the  minimum  amount  necessary  standard  requirement  in  judicial 
and  administrative  proceedings,  we  believe  that,  at  a  minimum,  only  information 
reasonably  necessary  to  respond  to  a  subpoena  should  be  disclosed  (see  Judicial  and 
Administrative  Proceedings). 

We  also  strongly  believe  that  law  enforcement  access  to  protected  health  informa- 
tion about  victims  of  crime  or  abuse  should  be  limited  to  the  minimum  amount  nec- 
essary requirement.  Providers  who  disclose  too  much  information  to  law  enforce- 
ment without  adequate  consideration  of  the  victim's  safety  increases  the  likeUhood 
that  a  perpetrator  will  discover  that  the  victim  was  treated  for  her  injuries  (see  Law 
Enforcement).  We  are  also  concerned  about  victims  in  small  communities  who  can 
be  easily  linked  to  the  information  even  if  the  victim's  name  or  address  is  not  dis- 
closed. We  believe  that  the  minimum  necessary  requirement  would  help  prevent 
these  types  of  inappropriate  and  unnecessary  disclosures. 

E.  Right  to  Request  Restrictions 

An  individual  should  have  a  true  right  to  restrict  the  use  and  disclosure  of  infor- 
mation that  could  jeopardize  the  individual's  safety.  Women  who  know  that  they 
will  suffer  further  violence  from  a  perpetrator  must  be  able  to  access  health  care 
without  fearing  such  communications  will  reach  him.  A  victim  of  domestic  violence 
needs  to  be  able  to  place  restrictions  on  the  use  and  disclosure  of  their  information 
even  for  treatment,  payment  and  health  care  operations.  A  victim  also  needs  to 
know  that  a  perpetrator  who  requests  information  will  not  be  able  to  locate  her.  It 
is  essential  that  a  victim  who  has  fled  a  perpetrator  not  be  found  because  a  provider 
or  insurer  gave  the  perpetrator  the  victim's  new  address,  either  directly  or  through 
mailing  of  an  explanation  of  benefits  form.  A  victim's  right  to  restrict  the  disclosure 
of  her  protected  health  information  should  not  be  dependent  on  an  agreement  of  a 
health  care  provider,  who  may  underestimate  the  severity  of  danger.  Failing  to  give 
a  victim  of  abuse  a  true  right  to  limit  disclosures  of  such  information  where  the  dis- 
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closure  would  endanger  her  safety  will  undermine  the  efforts  of  the  health  care  com- 
munity to  serve  victims  and  deprive  them  of  necessary  care  and  assistance. 

We  also  believe  that  third  parties  who  provide  health  care  services  or  issue  bills 
independent  of  the  primary  provider,  insurer,  or  institution  should  comply  with  use 
and  disclosure  restrictions  requested  by  an  individual.  If  an  individual  restricts  the 
use  and  disclosure  of  information,  a  provider  who  agrees  to  or  is  aware  of  a  restric- 
tion must  inform  third  parties  that  the  information  can  only  be  used  and  disclosed 
for  purposes  that  do  not  violate  the  restrictions.  For  example,  an  individual  who  is 
referred  to  an  out-of-plan  radiologist  may  be  billed  separately  for  the  radiology 
treatment.  So,  even  if  the  primary  provider's  bill  goes  to  an  alternate  address,  the 
radiologist's  bill  could  be  sent  to  the  victim's  house,  inadvertently  notifying  the  per- 
petrator and  endangering  her.  If  an  individual  has  requested  that  the  original,  re- 
ferring provider  only  communicate  with  the  individual  at  an  address  other  than  the 
individual's  home,  the  radiologist  should  also  be  required  to  comply  with  the  restric- 
tions originally  requested  by  the  individual.  It  should  always  be  the  primary  pro- 
vider/institution's responsibility  to  communicate  the  restriction  to  all  third  parties 
as  a  patient  often  does  not  know  which  referrals  are  billed  separately. 

F.  Component  Entities 

We  strongly  believe  that  the  Secretary  should  expressly  state  that  personnel  and 
benefit  administration  employees  responsible  for  benefits  or  managing  the  day-to- 
day operation  of  the  health  plan  are  covered  by  the  regulation.  The  Secretar/s  pre- 
amble appears  to  cover  these  employees  but  we  believe  this  should  be  made  clear 
in  the  regulation.  We  also  recommend  that  the  Secretary  require  personnel  depart- 
ments and  employees  who  handle  health  care  administration  to  have  safeguards  to 
ensure  that  information  is  not  disclosed  to  the  larger  organization.  We  are  very  con- 
cerned about  employers  who  may  improperly  obtain  information  fi:'om  benefit  admin- 
istrators and  use  the  information  inappropriately  to  make  employment  decisions 
(such  as  promotions,  job  assignments,  and  even  firing).  Victims  of  domestic  violence 
would  be  likely  targets  even  when  they  perform  well  on  the  job.  Employees  who 
work  within  the  health  care  component  must  be  empowered  to  deny  release  of  the 
information  to  corporate  executives  and  managers  outside  the  health  care  compo- 
nent unless  disclosure  is  required  for  health  plan  administration. 

G.  Judicial  and  Administrative  Proceedings 

We  strongly  believe  that  the  regulations  should  specify  minimum  information  that 
must  be  included  in  court  and  administrative  orders  in  order  to  guide  those  disclos- 
ing protected  health  information  and  to  notify  those  receiving  information  that  the 
information  cannot  be  used  or  disclosed  for  other  purposes.  At  a  minimum,  court 
and  administrative  orders  should:  (1)  provide  that  the  protected  health  information 
is  subject  to  court  protection;  (2)  state  the  nature  of  the  information  to  be  disclosed, 
and  to  the  extent  practicable,  identify  specific  information  to  be  disclosed;  (3)  specify 
to  whom  the  information  may  be  disclosed;  (4)  specify  that  such  information  may 
not  otherwise  be  used  or  disclosed;  and  (5)  meet  any  other  requirements  that  the 
court  or  tribunal  determines  are  needed  to  protect  confidentiality.  These  require- 
ments are  necessary  to  ensure  that  sensitive  information  is  not  released  outside  of 
the  proceedings  in  a  way  that  could  jeopardize  the  safety  of  the  victim. 

We  believe  that  only  the  minimum  amount  of  information  necessary  to  respond 
to  a  subpoena  should  be  disclosed.  If  the  holder  of  information  is  unclear  what  infor- 
mation is  being  requested,  the  entity  should  request  clarification  and  should  only 
disclose  that  iiSbrmation  which  is  necessary.  While  the  Secretary's  preamble  raises 
practical  concerns  about  applying  the  minimum  amount  necessary  requirement  in 
judicial  and  administrative  proceedings,  we  believe  that,  at  a  minimum,  the  Sec- 
retary should  require  that  only  information  reasonably  necessary  to  respond  to  a 
subpoena  should  be  disclosed.  While  we  recognize  that  it  may  sometimes  be  difficult 
for  parties  responding  to  requests  to  determine  exactly  what  information  the  re- 
questing party  seeks,  the  holder  of  the  protected  health  information  shoiild  not  have 
blanket  authority  to  disclose  all  protected  health  information— only  information  that 
is  directly  responsive  to  a  subpoena  should  be  disclosed.  While  a  victim  may  have 
a  long  history  of  domestic  violence  and  other  conditions,  if  the  information  is  not 
directly  responsive  then  it  should  not  be  disclosed. 

We  also  strongly  believe  that  the  Secretary  should  include  a  provision  prohibiting 
disclosure  of  protected  health  information  unless  the  individual  who  is  the  subject 
of  the  information  has  had  (1)  reasonable  notice  of  the  subpoena  and  (2)  reasonable 
opportunity  to  move  the  court,  or  other  presiding  official,  to  quash  the  subpoena  on 
the  basis  that  the  individual's  privacy  interest  outweighs  the  interest  of  the  person 
seeking  the  information.  Under  the  proposed  rule,  a  domestic  violence  victim  may 
not  know  about  a  request  for  disclosure  of  her  personal  information  that  could  seri- 
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ously  endanger  her.  A  notice  requirement  would  ensure  that  a  victim  could  take  the 
necessary  precautions  to  make  sure  that  domestic  violence  information  does  not 
reach  the  perpetrator. 

H.  Law  Enforcement 

We  are  very  concerned  that  domestic  violence  information  may  be  disclosed  to  law 
enforcement  officials  without  any  consideration  or  notice  about  safety  concerns  of 
domestic  violence  victims.  The  only  way  to  safeguard  the  privacy  of  domestic  vio- 
lence victims  is  to  require  a  warrant  from  a  neutral  judicial  officer  prior  to  every 
law  enforcement  disclosure.  A  warrant  requirement  is  a  famiUar  standard  in  other 
federal  privacy  laws  and  has  not  been  shown  to  interfere  with  legitimate  law  en- 
forcement activity.  We  are  also  concerned  that  without  a  warrant  requirement  a  vic- 
tim could  be  deterred  from  reporting  violence  if  she  knows  that  the  police  could  ac- 
cess all  of  her  medical  records. 

A  covered  entity  should  be  required  to  provide  notice  to  a  victim  about  any  re- 
quests or  disclosures  of  information  to  law  enforcement  officials.  Information  re- 
leased to  law  enforcement  officials  will  Hkely  be  used  to  make  an  arrest  or  conduct 
follow  up  investigation.  We  are  concerned  that  during  this  process  a  perpetrator 
may  discover,  either  directly  through  police  interrogation  or  indirectly  from  wit- 
nesses who  have  been  contacted,  that  the  victim  has  discussed  the  abuse  with  law 
enforcement  officials  or  her  provider.  Providing  notice  to  the  victim  will  allow  the 
victim  to  take  necessarj'^  safety  precautions.  Because  providers  are  already  required 
to  account  for  disclosures  we  believe  that  any  administrative  burden  would  be  insig- 
nificant. 

When  a  victim  has  requested  restrictions  on  uses  and  disclosures  of  her  health 
information,  the  covered  entity  should  communicate  those  restrictions  to  law  en- 
forcement officials.  Informing  law  enforcement  of  the  restrictions  would  help  inves- 
tigators imderstand  a  victim's  safety  concerns.  Law  enforcement  officials  would  then 
be  better  prepared  to  help  the  victim  seek  protection  during  the  investigation. 

I.  Directory  Information 

Because  directory  information  includes  the  name,  location  and  condition  of  the  pa- 
tient, a  perpetrator  could  easily  locate  a  victim  to  commit  further  violent  acts.  While 
individuals  who  are  not  incapacitated  would  have  an  opportunity  to  opt  out  or  limit 
the  amount  of  information  to  be  disclosed,  incapacitated  individuals  would  have  no 
protection.  A  provider  who  reasonably  believes  that  the  injuries  of  an  incapacitated 
individual  coiild  be  the  result  of  domestic  violence  should  be  prohibited  from  disclos- 
ing the  location  of  the  individual.  We  believe  that  such  a  Umitation  is  essential  for 
the  safety  of  domestic  violence  victims.  Providers  should  be  given  discretion  to  dis- 
close the  location  of  the  individual  to  immediate  family  members  who  quaUfy  as 
next  of  kin  and  when  the  provider  does  not  beheve  the  injuries  could  be  a  result 
of  domestic  violence. 

J.  Notice  of  Information  Practices 

We  encourage  the  Secretary  to  require  entities  to  make  reasonable  efforts  to  ob- 
tain a  signed  acknowledgment  that  the  individual  has  received  and  read  the  notice 
of  information  practices.  While  we  believe  that  a  signed  authorization  is  the  best 
poUcy,  we  also  beheve  that  a  signed  acknowledgment  could  also  serve  as  an  "initial 
moment."  (See  Treatment,  Payment  and  Health  Care  Operations) 

K.  Next  of  Kin 

We  are  very  concerned  about  situations  where  a  perpetrator  who  is  a  next  of  kin 
attempts  to  obtain  information  about  his  victim's  treatment  for  her  injuries.  If  the 
perpetrator  discovers  that  the  victim  discussed  her  injuries  and  identified  the  per- 
petrator by  name,  he  could  confront  the  victim.  This  confrontation  may  be  another 
violent  episode.  We  strongly  beheve  that  where  verbal  agreement  cannot  be  ob- 
tained any  disclosure  must  take  into  consideration  whether  the  information  could 
jeopardize  the  safety  of  the  victim. 

We  are  also  concerned  that  the  proposed  rule  does  not  have  adequate  verification 
procedures  to  identify  those  who  are  requesting  information.  If  verbal  agreement  is 
not  possible,  the  perpetrator  could  easily  obtain  domestic  violence  information.  In 
the  Secretary's  preamble  (p.  59972),  she  states  that  when  there  is  no  verbal  agree- 
ment, a  verbal  inquiry  into  the  identity  of  the  person  requesting  the  information  is 
sufficient.  We  strongly  disagree  and  believe  that  an  entity  should  verify  the  identity 
of  the  next  of  kin  who  has  requested  the  information.  A  perpetrator  could  attempt 
to  obtain  information  as  next  of  kin  while  the  victim  is  unconscious  in  order  to  find 
out  whether  she  previously  identified  him  as  the  perpetrator.  By  verifying  the  iden- 
tity of  the  person  requesting  the  information,  a  provider  could  then  make  an  in- 
formed decision  as  to  whether  the  safety  of  the  victim  may  be  jeopardized. 
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L.  Right  to  Restrict 

We  recommend  that  the  Secretary's  proposed  right  to  request  restrictions  on  all 
information  be  retained.  However,  a  mere  right  to  request  restrictions  does  not  ade- 
quately address  the  safety  concerns  of  victims  of  domestic  violence  or  the  discrimi- 
nation and  safety  concerns  of  others  with  sensitive  health  conditions.  Victims  of  do- 
mestic violence  have  immediate  safety  concerns  when  information  about  their  treat- 
ment is  disclosed  to  the  perpetrator.  Often  perpetrators  are  angered  if  they  find  out 
that  their  victims  have  told  a  provider  about  the  abuse.  As  a  result,  the  victim  may 
be  in  more  serious  danger  of  personal  harm.  There  are  many  ways  for  perpetrators 
to  discover  that  the  victim  has  had  or  is  seeking  medical  attention,  or  discover  the 
whereabouts  of  the  victim  (i.e.  by  finding  a  bill  or  explanation  of  benefits  or  notice 
of  appointment  in  the  mail,  answering  medical  history  questions  posed  by  an  at- 
tending health  care  worker  or  an  insurer,  directly  asking  a  provider  or  insurer,  or 
by  false  pretenses).  The  victim  should  be  able  to  request  that,  to  the  extent  possible, 
covered  entities  not  use  or  disclose  protected  health  information  in  ways  that  would 
alert  the  perpetrator.  Thus,  the  victim  should  be  able  to  request  that  a  bill  be  sent 
to  a  different  address,  or  that  the  perpetrator  (if  identified)  not  be  given  particular 
health  information  about  the  victim,  or  that  only  specified  persons  be  given  fiill  ac- 
cess to  the  patient's  health  information.  Not  requiring  that  entities  restrict  use  of 
information  has  broad  effects.  If  victims  of  domestic  violence  are  not  adequately  as- 
sured of  the  confidentiality  of  their  information,  they  will  be  less  likely  to  seek  med- 
ical attention  and  counseUng.  Failing  to  give  victims  a  true  right  to  limit  disclosures 
of  their  health  information  where  the  disclosure  would  endanger  their  safety  under- 
mines the  efforts  of  the  health  care  community  to  serve  victims  and  deprives  victims 
of  necessary  care  and  assistance. 

We  appreciate  the  Secretary's  concern  about  the  unworkability  of  an  absolute 
right  to  restrict,  but  when  restrictions  concern  information  that  could  jeopardize  the 
patient's  safety,  the  safety  of  the  individual  outweighs  any  administrative  burden. 
While  restrictions  may  be  ignored  or  overlooked  because  the  person  handling  the  in- 
formation is  unaware  of  the  restrictions,  we  believe  that  entities  could  minimize  any 
oversight  by  flagging  restricted  information  in  a  noticeable  place  and  manner  on  the 
information  itself.  All  entities  who  receive  sensitive  information  subject  to  restric- 
tions by  the  individual  should  be  informed  of  and  comply  with  the  restrictions. 

We  are  very  concerned  that  the  Secretary's  proposed  rule  does  not  permit  individ- 
uals to  request  restrictions  on  the  use  and  disclosure  of  information  in  emergency 
situations.  We  strongly  beUeve  that  the  right  to  restrict  should  apply  in  emergency 
situations.  A  victim  who  has  been  harmed  by  violence  may  first  turn  to  emergency 
services  for  aid,  and  the  victim  should  be  able  to  request  that  the  perpetrator  not 
be  told  of  her  condition  or  whereabouts. 

M.  Inspection  and  Copying 

We  recommend  that  the  rule  grant  covered  entities  broader  discretion  to  deny  ac- 
cess to  protected  health  information  in  certain  circumstances  where  necessary  to 
protect  minors  and  other  vulnerable  people  (elders,  or  those  who  are  incapacitated 
or  incompetent)  from  abuse  by  their  parents,  guardians,  persons  acting  in  loco 
parentis,  or  legal  representatives  who  seek  information  under  section  164.514.  Extra 
protection  is  necessary  for  vulnerable  people  who  depend  on  others  to  exercise  their 
rights  under  the  regulations,  but  who  m^ust  be  shielded  from  those  empowered  to 
act  in  their  stead.  Health  care  professionals  who  treat  victims  of  child  abuse,  elder 
abuse,  and  other  forms  of  domestic  violence  should  have  the  discretion  to  withhold 
information  about  their  patients  from  those  whom  the  professional  reasonably  be- 
lieves may  harm  the  patient.  Such  discretion  is  critical  when  the  patient  has  re- 
vealed the  abuse  and  physical  or  emotional  retaliation  by  the  abuser  is  a  real  possi- 
bility. 

V.  Conclusion 

While  we  have  many  concerns  with  the  proposed  regulation,  we  beheve  that  the 
rule  provides  greater  privacy  protections  than  exist  today.  We  strongly  encourage 
Congress  to  take  the  important  next  step  by  filHng  the  gaps  left  by  HIPAA. 


Statement  of  Health  Industry  Manufacturers  Association 

This  testimony  is  submitted  on  behalf  of  the  Health  Industry  Manufacturers  Asso- 
ciation (HIMA)  and  its  800  member  companies.  HIMA  is  the  largest  medical  tech- 
nology trade  association  in  the  world,  representing  manufacturers  of  medical  de- 
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vices,  in  vitro  diagnostic  products  and  health  information  systems.  HIMA  member 
companies  supply  nearly  90  percent  of  the  $68  billion  of  health  care  technology 
products  purchased  annually  in  the  United  States  and  more  than  50  percent  of  the 
$159  billion  purchased  annually  worldwide.  We  welcome  the  opportunity  to  submit 
testimony  for  the  record  on  issues  surrounding  the  privacy  of  individually  identifi- 
able health  information. 

Comments  on  the  Proposed  Privacy  Regulation 

Medical  technology  encompasses  thousands  of  life-saving  and  life-enhancing  prod- 
ucts used  by  more  than  50  medical  specialties  in  numerous  procedures  and  applica- 
tions. Through  advances  in  medical  technology,  more  lives  are  saved,  illnesses  are 
prevented  and  recovery  times  are  shorter. 

Medical  device  innovation  differs  significantly  from  pharmaceutical  development 
in  that  most  devices  on  the  market  today  result  from  a  series  of  incremental  im- 
provements to  preexisting  devices.  These  improvements  result  from  continued  vigi- 
lance by  the  manufacturer  and  substantial  input  from  the  provider  community.  Al- 
though well-designed  research  plays  a  significant  role,  formal  research  projects  must 
be  complemented  by  one-to-one  interaction  between  the  researchers  tasked  with  de- 
veloping and  improving  a  technology  and  the  clinical  personnel  who  use  it  in  their 
therapeutic  and  diagnostic  interactions  with  patients.  Continuity  and  perseverance 
in  research  and  the  ability  to  communicate  freely  with  caregivers  and  patients  are 
key  drivers  of  innovation. 

HIMA  strongly  supports  the  development  of  reasonable  patient  confidentiality 
standards.  We  recognize  the  difficulties  associated  with  developing  privacy  stand- 
ards as  highlighted  by  the  Department  of  Health  and  Human  Services  (HHS)  in  the 
Background  section  of  the  preamble  to  the  proposed  rule.  HHS  has  made  a  consider- 
able effort  toward  ensuring  that  patient  safety,  the  quality  of  care  and  medical  re- 
search are  not  adversely  affected  by  this  regulation.  Nevertheless,  we  believe  the 
proposed  rule  still  has  many  shortcomings.  There  are  numerous  requirements  that 
are  unrealistic  and  will  not  meet  the  needs  of  a  health  care  system  that  is  far  more 
complex  than  that  contemplated  by  the  proposed  regulation  or  the  statute.  Many 
items  are  ambiguous  or  require  much  more  explanation  and  clarification. 

Taken  together,  these  factors  create  concern  from  our  perspective  about  the  safety 
and  quality  of  patient  care,  and  our  ability  to  collect  data  to  support  medical  re- 
search. We  believe  these  problems  must  be  addressed  in  a  satisfactory  manner  be- 
fore any  final  regulatory  framework  is  implemented. 

We  are  pleased  to  share  with  the  Subcommittee  our  concerns  about  the  proposed 
HHS  privacy  regulation.  These  are: 

The  Definition  of  Covered  Entity  Should  Exclude  Most  Device  Manufac- 
turers 

We  are  extremely  troubled  that  the  proposed  rule  does  not  clarify  that  the  vast 
majority  of  device  manufacturers  are  not  covered  entities.  As  currently  drafted,  the 
definition  of  covered  entity  includes  device  manufacturers  who  act  as  Medicare  sup- 
pliers. These  types  of  companies  comprise  a  very  small  portion  of  the  medical  device 
industry.  Because  the  definition  of  a  covered  entity  does  not  distinguish  between  the 
majority  of  device  manufacturers  and  the  "supplier  manufacturers,"  it  has  the  po- 
tential to  be  misinterpreted  by  implying  that  device  manufacturers,  in  general,  are 
covered  entities. 

The  rule  is  also  vague  in  cases  where  a  "supplier  manufacturer"  has  only  one  part 
of  its  business  that  acts  as  the  "supplier."  Thus,  in  addition  to  urging  HHS  to  clarify 
that  the  vast  majority  of  device  manufacturers  are  not  intended  to  be  covered  enti- 
ties imder  the  rule,  we  have  urged  more  detail  regarding  the  scope  of  the  supplier 
component  and  its  relationship  to  the  rest  of  the  compan/s  business. 

Requirements  to  "Deidentify"  Individual  Health  Information  are  Unwork- 
able 

We  believe  the  rule's  requirement  that  19  identifiers  be  removed  before  protected 
health  information  can  be  considered  "deidentified"  is  unworkable  and  will  yield  in- 
formation which  in  most  cases  is  useless  for  research  purposes.  Additionally,  the 
proposed  rule  deviates  from  the  "reasonable  basis"  standard  promulgated  by  the 
Health  Insurance  Portability  and  Accountability  Act  (HIPAA)  and  instead  adopts  a 
standard  which  will  be  very  difficult  to  meet,  where  one  must,  in  effect,  demonstrate 
that  there  is  "no  reason  to  believe"  that  a  recipient  of  protected  hesdth  information 
could  "reidentify^'  the  recipient. 

In  light  of  HIPAA's  civil  and  criminal  provisions,  it  is  likely  these  requirements, 
if  adopted,  will  severely  impede  medical  research  by  creating  an  atmosphere  of  ex- 
treme uncertainty  surrounding  what  data  can  be  legitimately  released  by  a  covered 
entity.  We  have  urged  HHS  to  adopt  the  HIPAA  standard  regarding  individually 
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identifiable  health  information.  This  will  allow  health  information  to  be  used  imless 
there  is  a  reasonable  basis  to  believe  that  the  information  can  be  used  to  identify 
the  individual. 

The  Definition  of  Public  Health  Authority  Must  Be  Expanded 

The  proposed  rule  has  a  severely  limited  definition  of  public  health  authority. 
Medical  device  manufacturers  operate  in  a  global  environment.  As  such,  device  man- 
ufacturers must  provide  protected  health  information  not  only  to  U.S.  government 
entities,  but  also  to  government  entities  in  other  countries  as  well  as  private  organi- 
zations. It  is  critical,  therefore,  that  the  definition  of  public  health  authority  be  ex- 
panded to  allow  disclosures  to  foreign  governments  and  private  sector  organizations. 

Device  Manufacturers  Should  Be  Permitted  to  Support  Treatment  and 
Diagnosis 

The  proposed  rule  does  not  permit  manufacturers  to  support  providers  with  treat- 
ment or  diagnosis  where  protected  health  information  may  be  disclosed.  As  a  result, 
patient  care  may  be  jeopardized  and  access  to  life-saving  and  life-enhancing  tech- 
nologies may  be  seriously  delayed. 

Device  manufacturers  fi'equently  assist  providers  with  the  operation  and  use  of 
a  particular  device  or  customize  devices  for  particular  patients.  In  many  cases,  the 
Food  and  Drug  Administration  (FDA)  requires  these  activities  and  thus  would  be 
permitted  by  the  proposed  rule.  Occasionally,  however,  a  provider  may  ask  a  manu- 
facturer for  support  that  is  not  required  by  FDA,  an  activity  not  permitted  by  the 
proposed  rule.  In  these  instances,  and  in  order  to  assure  appropriate  patient  care 
or  speedy  patient  access  to  needed  devices,  the  regulation  should  allow  a  provider 
to  disclose  protected  health  information  without  individual  authorization  to  the 
manufacturer. 

Device  Manufacturers  Should  Be  Permitted  to  Train  Providers 

Frequently,  device  manufacturers  are  the  only  entities  with  the  knowledge  and 
experience  to  train  providers  on  the  use  of  a  device.  In  addition  to  written  instruc- 
tional materials,  such  training  frequently  includes  one-on-one  tutorials  in  which  the 
needs  of  individual  patients  are  necessarily  addressed.  As  currently  written,  the  pro- 
posed regulation  prohibits  this  type  of  provider  training  unless  patient  authorization 
is  obtained,  although  the  rule  permits  similar  types  of  training  if  it  is  provided  by 
health  care  professionals. 

To  ensure  the  continued  safe  and  proper  use  of  medical  devices,  we  have  urged 
HHS  to  change  the  proposed  rule  to  reflect  that  effective  medical  education  results 
fi*om  a  variety  of  sources  including  medical  device  companies  and  that  this  type  of 
training  should  be  permissible  without  patient  authorization. 

The  Proposed  Rule  Will  Discourage  the  Collection  of  Needed  Public 
Health  Information 

The  proposed  rule  permits  disclosure  of  protected  health  information  to  device 
manufacturers  when  the  information  is  needed  to  comply  with  rules  or  other  direc- 
tions of  a  governmental  authority.  However,  the  proposed  rule  lists  only  one  require- 
ment, device  tracking,  as  an  example.  The  device  industry  must  comply  with  hun- 
dreds of  FDA  requirements  that  require  the  disclosure  of  protected  health  informa- 
tion. 

Given  the  severe  civil  and  criminal  penalties  which  will  apply  to  entities  violating 
the  confidentiality  standards  established  by  the  rule,  we  are  gravely  concerned  that 
an  atmosphere  may  develop  where  hospitals  and  other  providers  who  now  freely 
provide  needed  information  to  device  manufacturers,  wiU  be  reluctant  to  provide 
that  same  information  in  the  future. 

To  ensure  that  medical  device  manufacturers  can  carry  out  the  activities  man- 
dated by  FDA  and  other  government  agencies  that  require  protected  health  informa- 
tion without  individual  authorization,  it  is  essential  that  the  final  rule  enumerate 
the  many  requirements  with  which  device  manufacturers  must  comply. 

Device  Manufacturers  Should  Be  Permitted  to  Support  Data  Collection 
Activities  of  Governmental  and  Private  Entities 

The  proposed  rule  permits  disclosure  of  protected  health  information  to  a  govern- 
ment health  data  system  used  to  collect  data  for  analysis  in  support  of  policy,  plan- 
ning, regulatory  or  management  functions  authorized  by  law.  Government  (specifi- 
cally the  Health  Care  Financing  Administration  (HCFA))  as  well  as  private  payers 
often  rely  on  device  manufacturers  to  supply  this  information  specifically  to  support 
reimbursement  and  coverage  poHcies. 

We  beHeve  the  rule  should  allow  device  manufacturers  to  collect  protected  health 
information  that  will  be  used  to  support  HFCA's  reimbursement  poUcies  and  other 
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related  decisions.  The  rule  should  also  allow  device  manufacturers  to  collect  the 
same  information  for  third  party  payers  who,  in  turn,  must  supply  device  reim- 
bursement information  to  HCFA. 

The  Proposed  Requirements  for  Research  Invalidate  the  Common  Rule 

Finally,  the  proposed  rule  establishes  new  criteria  to  be  included  in  patient  con- 
sent forms  for  participation  in  medical  research  which  conflict  with  current  law  gov- 
erning human  participation  in  cUnical  trials  and  which  are  inappropriate  for  medi- 
cal device  trials. 

Currently,  the  form  and  content  of  patient  authorizations  to  participate  in  medical 
device  trials  are  established  by  Institutional  Review  Boards  acting  in  accord  with 
the  federal  regulatory  framework  for  the  protection  of  human  subjects  (known  as 
the  Common  Rule).  The  proposed  rule  invalidates  a  number  of  the  elements  re- 
quired by  the  Common  Rule.  Additionally,  a  number  of  the  elements  in  the  proposed 
form  are  confusing  and  inappropriate  for  medical  device  clinical  trials  and  the  vol- 
unteers who  participate  in  them. 

Conclusion 

In  conclusion,  HIMA  strongly  supports  measures  that  will  ensure  that  individual 
health  information  is  appropriately  protected  while  maintaining  the  safety  and  qual- 
ity of  care  through  necessary  communications  and  procedures.  We  believe  the  pro- 
posed privacy  rule  has  a  number  of  shortcomings  that  will  impede  important  re- 
search needed  to  support  device  innovation  and  patient  access  to  new  £ind  improved 
medical  technologies.  We  look  forward  to  workable  solutions  that  will  guarantee  safe 
patient  access  to  innovative  technologies  through  mechanisms  that  promote  medical 
research  and  quality  of  care. 


Statement  of  Daniel  V.  Yager,  LPA,  Inc. 

Mr.  Chairman  and  Members  of  the  Subcommittee: 

Thank  you  for  allowing  us  to  present  our  views  to  your  Subcommittee  regarding 
the  proposed  medical  privacy  regulations  issued  by  the  Department  of  Health  and 
Human  Services  on  November  3,  1999,  "Standards  for  Privacy  of  Individually  Identi- 
fiable Health  Information."  LPA,  is  a  public  policy  advocacy  organization  represent- 
ing senior  human  resource  executives  of  more  than  250  of  the  largest  corporations 
doing  business  in  the  United  States.  LPA's  purpose  is  to  ensure  that  U.S.  employ- 
ment policy  supports  the  competitive  goals  of  its  member  companies  and  their  em- 
ployees. Collectively,  LPA  member  companies  employ  more  than  12  million  employ- 
ees, or  12  percent  of  the  private  sector  workforce. 

Although  perhaps  not  intended  by  the  Department  of  Health  and  Human  Services 
(HHS),  LPA  believes  that  the  proposed  medical  privacy  regulations  could  arguably 

Erevent  employers  from  conducting  drug  testing  and  fitness  for  duty  testing  and 
'om  requiring  employees  to  provide  Family  and  Medical  Leave  Act  certifications  as 
permitted  imder  current  law.  On  February  15,  2000,  LPA  filed  comments  with  HHS 
detailing  our  concerns,  based  upon  based  upon  extensive  discussions  with  LPA 
member  companies. 

LPA's  comments  underscore  the  critical  role  played  by  drug  testing  in  promoting 
workplace  safety  and  reducing  medical  and  workers'  compensation  costs.  The  com- 
ments note  that  70%  of  all  employers  conduct  drug  testing.  Even  HHS  conducts 
drug  testing  before  hiring  its  criminal  investigators.  LPA  believes  that  it  is  impor- 
tant that  the  final  medical  records  confidentiality  regulations  encourage,  rather 
than  discourage,  employers  to  engage  in  drug  testing,  even  if  the  testing  is  not  re- 
quired by  federal  law. 

The  comments  also  point  out  that  fitness  for  duty  tests  are  already  subjected  to 
extensive  restrictions  under  the  Americans  with  Disabilities  Act  (ADA),  which  re- 
quires employers  to  keep  all  employee  medical  records  confidential.  The  ADA  also 
regulates  when  an  employer  may  require  an  employee  or  prospective  employee  to 
take  a  fitness  for  duty  test  and  which  supervisors  may  view  the  results  of  the  test. 
Because  such  tests  confirm  whether  an  employee  is  physically  and  mentally  capable 
of  handling  dangerous  tasks,  they  have  the  added  benefit  of  ensuring  that  employ- 
ers are  providing  a  workplace  free  from  recognized  hazards  under  the  Occupational 
Safety  and  Health  Act.  LPA  believes  that  the  regulations  should  clearly  exclude  fit- 
ness for  duty  tests. 

Similarly,  employers  may  require  employees  to  provide  medical  certifications 
under  the  Family  and  Medical  Leave  Act  (FMLA)  to  ensure  that  the  employees  use 
the  federally-mandated  leave  for  proper  purposes.  Although  the  regulations  may  im- 
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pact  an  employer's  administration  of  the  FMLA  less  severely  than  drug  testing  pro- 
grams and  fitness-for-duty  testing  under  the  ADA,  LPA  has  urged  the  Department 
of  Health  and  Human  Services  to  clarify  that  these  certifications  would  not  be  im- 
pacted by  the  final  regulations. 

Mr.  Chairman,  LPA  beheves  that  medical  records  used  for  human  resources  pur- 
poses are  already  substantially  protected  by  employment  laws.  We  urge  the  sub- 
committee to  voice  its  strong  opposition  to  the  additional  restrictions  in  the  regula- 
tions that  would  only  serve  to  make  an  employer's  compHance  with  existing  laws 
more  difficult  without  bolstering  employee  protection.  A  complete  copy  of  our  com- 
ments is  attached  for  your  information. 


February  15,  2000 

U.S.  Department  of  Health  and  Human  Services 
Assistant  Secretary  for  Planning  and  Evaluation 
Attn:  Privacy-?,  Room  G-322A 
Hubert  H.  Humphrey  Building 
200  Independence  Ave.,  SW 
Washington,  DC  20201 

RE:  Standards  for  Privacy  of  Individually  Identifiable  Health  Information 
To  Whom  It  May  Concern: 

We  are  writing  to  express  our  strong  concerns  regarding  the  appUcation  of  the 
medical  privacy  regulations  proposed  on  November  3,  1999,^  to  the  ability  of  em- 
ployers to  maintain  mandatory  drug  testing  programs  and  to  make  critical  employ- 
ment decisions  which  are  currently  already  subject  to  restrictions  under  numerous 
federal  and  state  laws,  including  the  Americans  with  Disabihties  Act,  the  Family 
and  Medical  Leave  Act,  and  the  Occupational  Safety  and  Health  Act. 

LPA,  Inc.  is  a  pubUc  pohcy  advocacy  organization  representing  senior  human  re- 
source executives  of  more  than  250  of  the  largest  corporations  doing  business  in  the 
United  States.  LPA's  purpose  is  to  ensure  that  U.S.  employment  poUcy  supports  the 
competitive  goals  of  its  member  companies  and  their  employees.  LPA  member  com- 
panies employ  more  than  12  million  employees,  or  12  percent  of  the  private  sector 
workforce.  Because  of  the  broad  scope  of  the  regulations  as  discussed  below,  we  be- 
lieve every  LPA  member  company  would  be  affected  in  a  significant  manner. 

LPA's  member  companies  have  numerous  concerns  with  regard  to  the  regulations 
which  will  be  expressed  through  their  own  individual  comments  as  well  as  those  of 
other  organizations  to  which  they  belong.  LPA  does  not  beheve  the  agency  intended 
the  regulations  to  cover  an  employer's  use  of  employment-related  medical  informa- 
tion within  the  bounds  of  current  law.  However,  the  regulations  are  sufficiently 
vague  that  it  is  possible  that  they  cover  drug  testing  and  other  areas  involving  criti- 
cal employment  decisions  where  Congress  and  various  state  legislatures  have  al- 
ready chosen  to  regulate  the  disclosure  of  health  information.^ 

Our  concern  centers  upon  the  broad  definition  of  'Tiealth  information"  in  §  160.103 
to  include  "any  information  .  .  .  that  (1)  Is  created  or  received  by  a  health  provider 
.  .  .  [or]  .  .  .  employer  .  .  .;  and  (2)  Relates  to  the  past,  present,  or  future  physical 
or  mental  health  or  condition  of  an  individual.  .  .."  This  definition  arguably  could 
be  broad  enough  to  include: 

•  data  compiled  pursuant  to  a  mandatory  drug  testing  program  maintained  by 
an  employer  as  a  condition  of  employment  for  its  employees; 

•  data  compiled  pursuant  to  a  fitness  for  duty  test  conducted  in  accordance  with 
the  Americans  with  Disabihties  Act  to  provide  a  reasonable  accommodation  or  to  en- 
sure that  an  individual  is  capable  of  performing  strenuous  or  difficult  work;  and 

•  information  contained  in  a  certification  provided  by  an  employee  as  a  condition 
to  his  or  her  entitlement  to  medical  leave  pursuant  to  the  Family  and  Medical 
Leave  Act. 

LPA  does  not  beheve  the  agency  intended  to  limit  these  activities.  However,  be- 
cause the  proposed  regulations  cover  "protected  health  information,"  which  essen- 
tially means  electronically  transmitted  health  information  that  identifies  a  particu- 


1  Standard  for  Privacy  of  Individually  Identifiable  Health  Information,  64  Fed.  Reg.  59,918 
(proposed  Nov.  3,  1999). 

2  LPA  agrees  with  the  statement  in  the  Preamble  that  the  Secretary  does  not  have  the  author- 
ity under  the  Health  Insurance  Portability  and  Accountability  Act  to  regulate  the  use  of  pro- 
tected health  information  once  it  is  disclosed  to  employers.  See  id.  at  59,923.  As  is  detailed  in 
this  letter,  employer  use  of  such  information  is  already  substantially  regulated  by  existing  law. 
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lar  individual,  the  regulations  would  appear  to  govern  electronically  transmitted  in- 
formation used  for  the  purposes  listed  above.  LPA  believes  that  the  final  regulations 
should  clearly  exempt  these  uses  from  their  scope,  both  for  compelling  public  policy 
reasons  and  because  they  are  adequately  regulated  by  existing  employment  laws. 
Each  of  these  concerns  will  be  discussed  separately  below. 

I.  Mandatory  Drug  Testing  Programs 

Many  employers  implement  drug  testing  of  prospective  and  current  employees  to 
ensure  that  their  employees  do  not  pose  a  threat  to  themselves,  their  co-employees, 
or  the  public  at  large.  Indeed,  federal  agencies  are  required  to  test  appHcants  and 
employees  in  sensitive  positions  for  drugs  imder  Executive  Order  12,564,3  which  im- 
plements a  drug-free  federal  workplace.  A  review  of  federal  agency  web  site  job  post- 
ings reveals  that  drug  testing  is  a  prerequisite  for  individuals  seeking  certain  fed- 
eral jobs,  such  as  those  who  apply  as  criminal  investigators  in  the  Department  of 
Health  and  Human  Services  ^  and  communications  equipment  specialists  for  the 
Federal  Aviation  Administration. ^ 

Likewise,  private  sector  employers  have  used  drug  testing  programs  for  years  to 
enhance  workplace  safety,  particularly  when  the  jobs  involve  hazardous  activities 
such  as  manufacturing  or  transportation.  The  most  recent  statistics  indicate  that  70 
percent  of  all  employers  test  their  employees  for  drugs. ^  Employers  have  imple- 
mented workplace  drug  testing  for  a  variety  of  reasons,  including  to  enhance  work- 
place safety,  maintain  product  quality,  productivity  and  employee  morale,  and  re- 
duce medical  and  workers'  compensation  costs. 

Overall,  workplace  drug  use  is  estimated  to  cost  employers  over  $100  million  an- 
nually.^ The  anecdotal  evidence  of  the  effectiveness  of  workplace  drug  testing  pro- 
grams is  "compelling"  according  to  the  U.S.  Department  of  Labor's  Internet  site.  For 
example: 

•  drug-using  employees  at  GM  average  40  days  sick  leave  each  year  compared 
with  4.5  days  for  non-users; 

•  employees  testing  positive  on  pre-employment  drug  tests  at  Utah  Power  & 
Light  were  5  times  more  likely  to  be  involved  with  a  workplace  accident  than  those 
who  tested  negative; 

•  in  Ohio,  the  establishment  of  drug-testing  and  treatment  programs  reduced  on- 
the-job  injuries  by  97  percent; 

•  Southern  Pacific  Railroad  experienced  a  71  percent  decrease  in  injuries; 

•  a  manufacturer  with  560  employees  reduced  industrial  accidents  over  thirty 
percent.^ 

Thus,  there  is  ample  evidence  that  drug  testing  helps  achieve  vital  workplace 
goals. 

Because  of  the  success  of  programs  like  these,  testing  in  some  industries  is  now 
even  required  by  law,  such  as  the  mandatory  drug  testing  programs  for  commercial 
drivers  required  by  the  Omnibus  Transportation  Employee  Testing  Act  of  1991.1° 
Even  where  drug  testing  is  not  required,  it  is  often  encouraged.  Thus,  the  Drug-Free 
Workplace  Act  of  1988  requires  all  federal  contractors  with  contracts  of  at  least 
$25,000  to  certify  that  they  are  providing  a  drug-free  workplace,  at  the  risk  of  con- 
tract debarment  if  they  fail  to  do  so.  Many  contractors  are  able  to  provide  this  cer- 
tification as  a  result  of  their  drug  testing  programs. 

The  regulations  effectively  appear  to  encompass  information  generated  by  manda- 
tory drug  testing.  The  medical  profession  holds  a  longstanding  belief  that  drug  de- 
pendency is  a  disease  to  be  treated,  rather  than  a  disability  to  be  accommodated. 
However,  if  that  is  the  case,  then  workplace  drug  testing,  despite  an  employer's  de- 


3  Exec.  Order  No.  12,564,  51  Fed.  Reg.  32,889  (Sept.  15,  1986)  reprinted  in  5  U.S.C.A  §7301 
(note)  at  166-70  (1996). 

Department  of  Health  and  Human  Services,  Job  Announcement  for  a  Supervisory  Criminal 
Investigator,  annoiincement  number  OIG-00-001,  available  at  http://www.psc.gov/spo/ 
oigOOOl.shtml. 

^Department  of  Transportation,  Federal  Available  Administration,  Airway  Transportation 
System  Specialist  announcement,  available  at  http://jobs.faa.gov/anndetail.sap7vac  id=47575. 

^American  Management  Association,  1999  AMA  Survey  on  Workplace  Testing,  at  2. 

7  See  e.g.,  G.  John  Tysse  and  Garen  E.  Dodge,  WINNING  THE  WAR  ON  DRUGS:  THE  ROLE 
OF  WORKPLACE  TESTING,  147(1989) 

^Department  of  Labor  Internet  Site:  "Working  Partners  for  an  Acohol  and  Drug-free  Work- 
place, Background  Information:  Workplace  Substance  Abuse,"  available  at  http://www.dol.gov/ 
dol/asp/public/problems/drugs/backgmd.htm. 

1049  U.S.C.A.  §20103. 

1141  U.S.CA.  §  et  seq.  (West  1987  &  Supp.  1999). 

12 See,  e.g.,  American  Medical  Assn.,  Drug  Dependencies  As  Diseases,  House  of  Delegates  Res- 
olution H-95.983  (Jan.  1998)  available  at  http://www.ama-assn.org/apps/pf  online/pf  online. 
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sire  to  maintain  a  safe  workplace,  is  covered  under  the  proposed  regulations'  defini- 
tion of  health  care,  which  includes  "preventive,  diagnostic  .  .  .  rehabilitative  .  .  . 
care,  counseling,  service  or  procedure  with  respect  to  the  physical  or  mental  condi- 
tion, or  functional  status  of  a  patient." 

Because  it  is  important  that  employers  be  able  to  continue  to  maintain  mandatory 
drug  testing  programs.  Congress  excluded  them  altogether  from  the  strict  require- 
ments of  the  Americans  with  Disabilities  Act  governing  medical  examinations,  The 
exclusion  of  mandatory  drug  testing  programs  from  the  ADA  requirements  made 
sound  policy  sense — to  encourage  workplace  drug  testing.  However,  the  exclusion 
also  logically  flowed  from  the  fact  that  such  programs  seek  to  obtain  information 
about  the  deHberate  illegal  activities  of  individuals  that  could  have  serious  work 
consequences,  even  if  those  activities  were  the  result  of  a  disease  that  is  beyond 
their  control. 

The  same  considerations  that  led  Congress  to  exclude  testing  for  the  illegal  use 
of  drugs  fi"om  the  strict  regulation  of  medical  examinations  under  the  Americans 
with  Disabilities  Act  should  lead  to  the  same  exclusion  from  the  proposed  regula- 
tions. 

II.  Fitness  for  Duty  Testing 

Many  jobs  require  certain  levels  of  physical  and/or  mental  competencies.  Fitness 
for  duty  examinations  allow  employers  to  determine  whether  an  individual  can  per- 
form the  essential  functions  of  the  job  and,  if  they  are  not  able  to  because  of  a  dis- 
ability, whether  a  reasonable  accommodation  can  be  made  to  enable  them  to  per- 
form those  functions.  Likewise,  fitness  tests  for  safety  purposes  confirm  that  an  em- 
ployee is  physically  and  mentally  capable  of  handing  dangerous  tasks.  Each  of  these 
similar  but  distinct  situations  is  dealt  with  below. 

The  Equal  Employment  Opportimity  Conmiission,  in  its  January  1992  "Technical 
Assistance  Manual  on  the  Employment  Provisions  (Title  I)  of  the  Americans  With 
DisabiUties  Act,"  provides  several  examples  of  fitness  tests,  all  of  which  are  consist- 
ent with  the  ADA'S  protections: 

•  ensuring  that  "prospective  construction  crane  operators  do  not  have  disabilities 
such  as  uncontrolled  seizures  that  would  pose  a  significant  risk  to  other  workers;" 

•  testing  of  workers  in  certain  health  care  jobs  "to  ensure  they  do  not  have  a  cur- 
rent contagious  disease  or  infection  that  would  pose  a  significant  risk  of  trans- 
mission to  others;"  and 

•  ensuring  that  an  individual  considered  for  a  position  operating  power  saws  or 
other  dangerous  equipment  is  not  someone  "disabled  by  narcolepsy  who  frequently 
and  unexpectedly  loses  consciousness."  ^'^ 

Under  the  Americans  with  Disabilities  Act,  employers  are  already  substantially 
regulated  as  to  when  they  can  require  medical  exams  of,  or  request  medical  infor- 
mation from  individuals;  what  they  can  examine  or  ask  them  for;  and  what  employ- 
ment decisions  are  permissible  once  medical  information  concerning  the  individual 
is  acquired.  An  employer  is  generally  prohibited  from  discriminating  against  a 
"qualified  individual  with  a  disabiUty,"  which  means  a  disabled  individual  who  can 
perform  the  "essential  functions  of  the  job"  with  or  without  a  "reasonable  accommo- 
dation." 

The  ADA  correctly  recognizes  that  the  employer  must  have  access  to  a  certain 
amoimt  of  medical  information  about  employees  and  prospective  employees  to  com- 
ply with  the  law.  Under  Section  102  of  the  ADA,  employers  have  the  right  to  require 
a  medical  examination  after  an  offer  of  employment  has  been  made  and  prior  to  the 
commencement  of  employment,  If,  during  the  medical  examination,  the  doctor  dis- 
covers a  condition  that  may  affect  the  person's  ability  to  do  the  job,  the  employer 
still  must  go  through  the  "reasonable  accommodation  process"  to  determine  whether 
the  individual  could  do  the  essential  functions  of  the  job  with  a  reasonable  accom- 
modation.   Once  the  individual  has  been  hired,  the  employer  may  not  require  medi- 


cs 64  Fed  Reg.  60,049  (to  be  codified  at  45  C.F.R.  §160.103). 

14  "For  purpose  of  this  subchapter,  a  test  to  determine  the  illegal  use  of  drugs  shall  not  be 
considered  a  medical  examination."  29  U.S.C.A.  §12114(d)(l)  (West  1999). 

i^U.S.  Equal  Employment  Opportunity  Commission,  Technical  Assistance  Man.,  Title  I, 
Americans  with  Disabilities  Act,  reprinted  in  Americans  With  Disabilities  Act  Man.  90:0556 
(BNA)(1992). 

16  M 

^Ud.  at  90:0543. 

18  42  U.S.C.A.  §12112(d). 

1^42  U.S.C.A.  §12111(9). 
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cal  examinations  unless  they  are  "job-related  and  consistent  with  business  neces- 
sity." 20 

Meanwhile,  the  ADA  limits  the  amount  of  medical  information  that  can  be  ob- 
tained during  employment  to  that  information  which  is  job-related  and  consistent 
with  business  necessity.  Strict  confidentiality  requirements  apply  to  the  informa- 
tion, and  several  courts  have  held,  with  agreement  from  the  Equal  Employment  Op- 
portimity  Commission,  that  these  requirements  apply  regardless  of  whether  an  indi- 
vidual has  a  disability.2i  During  the  hiring  process,  the  employer  may  share  medical 
information  only  with  decision-makers  with  a  "need  to  know"  the  information.  Even 
an  employee's  supervisor  and  manager  are  not  entitled  to  any  medical  information 
beyond  what  limitations  the  employee  has  to  do  the  particular  job.  Thus,  the  ADA 
already  protects  against  any  improper  use  of  critical  medical  data  by  the  employer. 

Yet,  the  data  obtained  consistent  with  ADA  requirements  would  appear  to  con- 
stitute "health  information"  under  the  proposed  regulations,  even  though  HHS  prob- 
ably did  not  intend  this  result.  Thus,  even  though  the  employer  would  have  a  nar- 
row right  to  access  the  data  under  the  ADA,  a  new  authorization  requirement  would 
be  superimposed  by  the  proposed  regulations.  As  a  result,  employers  could  be  forbid- 
den from  viewing  the  results  of  medical  exams  taken  to  detect  or  confirm  the  exist- 
ence of  a  disability  that  could  affect  the  ability  of  an  employee  to  do  his  or  her  job 
competently  and  safely. 

This  restriction  has  implications  beyond  the  ADA.  Results  of  fitness  for  duty  tests 
performed  in  accordance  with  the  ADA  may  also  be  used  to  ensure  an  employer  is 
complying  with  the  Occupational  Safety  and  Health  Act  (OSH  Act).  Although  fitness 
for  duty  tests  are  not  required  by  the  OSH  Act,22  employers  may  reduce  unneces- 
sary workplace  accidents  by  implementing  these  tests  because  they  will  identify  em- 
ployees who  are  impaired,  physically  incapable,  or  not  properly  trained  and  ensure 
that  they  are  not  placed  in  jobs  involving  hazardous  work.23  However,  the  medical 
regulations  are  probably  sufficiently  vague  that  the  information  gathered  under 
these  tests  would  not  be  exempted  under  them,  even  though  fitness  testing  is  con- 
sistent with  the  purpose  of  the  OSH  Act. 

In  addition,  the  OSH  Act  specifically  requires  employers  to  provide  voluntary 
medical  testing  for  its  employees.  An  employer  could  use  the  information  received 
to  comply  with  its  general  obligation  \mder  OSHA  to  provide  a  place  of  employment 
that  is  free  from  hazards.  However,  it  would  appear  that  the  information  gathered 
under  these  tests  would  not  be  exempt  from  the  medical  privacy  regulations  and 
therefore  it  could  be  subjected  to  numerous  restrictions  that  would  prevent  the  use 
of  the  data  for  the  very  purpose  that  it  was  intended. 

For  the  foregoing  reasons,  we  recommend  that  the  final  regulations  make  clear 
that  they  will  not  apply  to  information  regarding  fitness  tests  that  an  employer  or 
its  agents  may  lawfully  obtain,  use  or  disclose  under  the  ADA,  state  and  local  laws 
relating  to  discrimination  on  the  basis  of  disability,  the  OSH  Act,  and  state  safety 
and  health  laws.  Use  of  such  information  is  already  adequately  protected  under  the 
ADA,  and  additional  consent  and  disclosure  requirements  would  serve  to  impede  the 
administration  of  federal  antidiscrimination  policy. 

III.  Family  and  Medical  Leave  Act 

Under  the  Family  and  Medical  Leave  Act  (FMLA),  employees  are  guaranteed  a 
right  to  up  to  twelve  weeks  of  leave  annually  for  a  serious  medical  condition.  Under 
Section  103  of  the  FMLA,  employees  who  wish  to  use  FMLA  medical  leave  can  be 
required  by  their  employer  to  provide  a  certification  issued  by  a  health  care  provider 
that  discloses,  in  part: 

•  the  date  on  which  the  employee's  "serious  medical  condition"  began; 

•  the  probable  duration  of  the  condition; 

•  the  "appropriate  medical  facts  within  the  knowledge  of  the  health  care  provider" 
regarding  the  condition;  and 


2042  U.S.C.A.  §121 12(d)(4)(A). 

21  See  Roe  v.  Cheyenne  Mt.  Conf.  Resort,  124  F.3d  1221  (10th  Cir.  1997),  cert,  denied— U.S.— 
,  119  S.  Ct.  1455  (1999);  Criffen  v.  Steeltek,  Inc.,  160  F.3d  591  (10th  Cir.  1998);  Cossette  v.  Min- 
nesota Power  &  Light,  188  F.3d  964  (8th  Cir.  1999);  Fredenberg  v.  Contra  Costa  County  Dept. 
of  Health  Services,  172  F.Sd  1176  (9th  Cir.  1999). 

22  The  OSH  Act  requires  employers  to  provide  employees  "employment  and  a  place  of  employ- 
ment that  is  free  from  recognized  hazards  which.  .  .are  likely  to  cause  death  or  serious  physical 
harm  to  his  employees."  29  U.S. 

23  Although  hazard  avoidance  is  often  employer-driven  "[i]n  many  workplace  situations,  avoid- 
ance of  hazards  depends  on  proper  employee  conduct.  Many  citations  have  been  issued  under 
the  general  duty  clause  either  because  actions  of  employees  created  hazards  or  because  employ- 
ees did  not  take  precautions  to  avoid  hazards."  Stephen  A.  Bokat  and  Horace  A.  Thompson  III, 
Eds.,  OCCUPATIONAL  SAFETY  AND  HEALTH  LAW,  136  (1988).C.A.  §654(a)  (West  1999). 
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•  a  statement  that  the  employee  is  unable  to  "perform  the  functions  of  the  posi- 
tion." 24 

Medical  certifications  provided  by  employees  returning  from  leave  under  the  Fam- 
ily and  Medical  Leave  Act  allow  employers  to  ensure  that  the  employee  is  ready  to 
undertake  the  duties  required  in  the  employee's  position.  Similar  issues  exist  with 
respect  to  the  information  included  in  the  opinion  of  a  second  health  care  provider 
requested  by  an  employer  who  doubts  the  validity  of  the  employee's  initial  certifi- 
cation or  in  the  opinion  of  a  third  health  care  provider  called  upon  to  resolve  a 
conflict  between  the  opinions  of  the  first  and  second  health  care  providers. 

Much  of  the  information  contained  in  the  medical  certification  would  appear  to 
meet  the  definition  of  protected  health  information  imder  all  the  proposed  bills,  and 
would  therefore  be  covered  by  the  requirements  of  those  bills.  However,  under  the 
FMLA,  the  employer  may  require  the  employee  to  provide  a  medical  certification  be- 
fore returning  the  employee  to  his  or  her  job.  Thus,  there  is  an  implicit  requirement 
that  the  employee  provide  consent  for  the  employer  to  see  the  medical  certification. 

To  avoid  any  inadvertent  conflicts  between  employment  law  and  the  medical  pri- 
vacy regulations,  we  recommend  that  the  final  regulations  exclude  protected  health 
information  contained  in  certifications  that  an  employer  or  its  agents  may  use  or 
disclose  when  exercising  their  rights  or  responsibilities  under  the  FMLA. 

IV.  Consequences  of  an  Employee's  Refusal  to  Provide  Authorization 

In  addition  to  recognizing  that  an  employee  authorization  is  not  required  where 
employers  are  currently  permitted  to  use  protected  health  information,  the  regula- 
tions should  state  that  an  employer  is  permitted  to  make  an  employment  decision 
based  on  an  employee's  refusal  to  provide  the  results  of  a  drug  or  a  fitness-for-duty 
test  under  the  ADA,  FMLA,  and  similar  laws.  This  would  make  the  regulations  con- 
sistent with  the  existing  application  of  these  laws  and  eliminate  potential  confusion 
regarding  application  of  the  exclusion. 

A  few  examples  illustrate  the  need  for  such  a  provision.  The  ADA  acknowledges 
that  an  employer  is  not  obligated  to  hire  an  employee  with  or  without  a  disability 
who  is  not  able  to  perform  the  essential  functions  of  the  job.  If  an  employee  refuses 
to  submit  to  a  post-offer  fitness  for  duty  test,  or  refuses  to  disclose  the  results  of 
such  a  test,  the  ADA  allows  the  employer  to  refuse  to  hire  the  employee  because 
the  employer  cannot  assess  whether  the  employee  can  perform  the  job's  essential 
functions. 

An  employer  faced  with  the  potential  that  an  unskilled  or  untrained  employee 
could  be  placed  in  a  safety  sensitive  position  and  could  cause  substantial  safety 
problems,  must  determine  the  employee's  fitness  before  they  are  assigned  such  a  po- 
sition. Thus,  an  employer  should  be  allowed  to  take  appropriate  action  against  an 
employee  who  refuses  to  take  or  disclose  the  results  of  a  drug  or  fitness  test  that 
could  result  in  safety  implications. 

Similar  reasoning  applies  under  the  FMLA  and  more  generous  employer-provided 
leave  policies.  As  noted  above,  an  employer  may  require  an  employee  to  provide  a 
medical  certification  and  is  not  required  to  restore  the  employee  to  his  or  her  posi- 
tion until  the  certification  is  provided.  Thus,  if  an  employee  refused  to  provide  the 
disclosure,  the  employer  could  refuse  to  reinstate  the  employee. 

Moreover,  employers  often  provide  benefits  beyond  those  required  by  the  federal 
employment  law.  For  example,  in  addition  to  providing  unpaid  leave  under  the 
FMLA,  many  employers  also  provide  sick  leave  for  short  absences  and  temporary 
disability  benefits  for  longer-term  medical  absences.  For  this  reason,  LPA  also  rec- 
ommends that  the  regulations  should  permit  employers  to  require  employees  to  pro- 
vide certifications  of  their  conditions  to  demonstrate  eligibility  for  these  employer- 
provided  benefits.  The  same  rationale  applies  to  both  situations — in  order  to  receive 
the  protection  of  the  law  or  voluntary  benefits  provided  by  the  employer,  the  em- 
ployee must  demonstrate  that  he  or  she  had  a  bona  fide  condition  that  triggered 
the  protection  or  the  benefits. 

By  acknowledging  that  employers  may  make  employment  decisions  based  on  an 
employee's  refusal  to  take  or  disclose  the  results  of  a  mandatory  drug  or  fitness  for 
duty  test,  a  certification  for  FMLA  or  employer-provided  paid  leave,  the  regulations 
would  protect  the  ability  of  employers  to  comply  with  existing  labor  and  employment 
laws,  maintain  the  safety  of  their  workplaces,  and  offer  generous  leave  packages. 


24  29  U.S.C.A.  §2613(b)(l-^)  (West  1999). 

25  M  at  §2613(c)  &  (d). 
26 /d.  at  §2613(e). 
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V.  Limitation  to  Electronic  Data 

As  proposed,  the  medical  privacy  regulations  only  apply  to  electronically  transmit- 
ted protected  health  information.  However,  the  Secretary  argues  in  the  Preamble 
that  she  has  the  authority  to  regulate  paper  records  under  several  authorities. 
LPA  takes  exception  to  this  statement.  The  Health  Insurance  Portability  and  Ac- 
countability Act  (HIPAA),  which  authorized  the  regulations,  clearly  does  not  author- 
ize the  Secretary  to  regulate  anything  but  electronically  transmitted  information. 
This  is  made  clear  in  the  legislative  history  as  well.^s  LPA  opposes  the  Secretar/s 
stretched  attempt  to  expand  her  authority  beyond  that  which  she  is  expressly  grant- 
ed in  HIPAA. 

Thank  you  for  this  opportunity  to  submit  our  views. 

Sincerely  yours, 

Daniel  V.  Yager 
Senior  Vice  President  and  General  Counsel 


Statement  of  Medical  Group  Management  Association 

Medical  Group  Management  Association  (MGMA)  urges  the  Department  of  Health 
and  Human  Services  (HHS)  to  re-issue  the  proposed  privacy  rule.  "MGMA  appre- 
ciates the  enormous  complexities  that  HHS  was  confronted  with  in  drafting  the  pro- 
posed rule  to  protect  the  confidentiality  of  medical  information.  In  light  of  the  exten- 
sive revisions  that  HHS  should  incorporate  into  a  final  rule,  MGMA  urges  HHS  to 
issue  a  new  proposed  rule  reflecting  the  revisions  before  it  drafts  a  final  rule.  Due 
to  the  importance  and  overarching  impact  of  this  issue,  all  interested  parties  should 
have  an  adequate  opportunity  to  review  and  comment  on  the  changes  to  the  original 
proposed  rule,"  according  to  MGMA  President  and  CEO  Wilham  F.  Jessee,  M.D. 

The  privacy  of  an  individual's  personal  health  information  should  never  be  inap- 
propriately compromised.  However,  MGMA  contends  that  protecting  the  privacy  of 
medical  information  must  be  balanced  against  the  unnecessary  burdens  privacy  pro- 
tections place  upon  group  practice  administrators  and  all  health  care  providers.  Fur- 
thermore, it  is  essential  that  privacy  protections  do  not  interfere  with  vital  activities 
such  as  medical  treatment  and  research. 

"MGMA  commends  the  efforts  of  HHS  to  protect  the  confidentiality  of  medical  in- 
formation. MGMA  believes  HHS  took  several  positive  steps  in  addressing  a  very  dif- 
ficult issue.  However,  we  also  believe  there  are  several  significant  flaws  in  the  pro- 
posed rule,  which  would  place  tremendous  burdens  on  medical  group  practices  and 
interfere  with  the  delivery  of  efficient  and  high  quality  health  care,"  said  Jessee. 

In  light  of  the  limited  applicability  of  the  proposed  rule  mandated  by  the  Health 
Insurance  Portability  and  Accountability  Act  of  1996  (HIPAA),  MGMA  maintains 
that  the  best  avenue  for  protecting  health  information  is  through  comprehensive 
legislation.  MGMA  is  concerned  that  the  proposed  rule  would  not  apply  to  many  en- 
tities that  use  and  disclose  medical  information  on  a  daily  basis  (e.g.,  life  insurance 
issuers,  third-party  administrators,  and  employers).  Furthermore,  the  protections 
provided  in  the  proposed  rule  would  not  cover  purely  paper  records. 

In  its  formal  submission  to  HHS,  MGMA  emphasized  the  following: 

•  Provided  HHS  has  the  authority,  MGMA  urges  HHS  to  expand  the  rule 
to  cover  all  information,  even  information  that  has  never  been  electroni- 
cally maintained  or  transmitted.  There  are  many  medical  organizations,  espe- 
cially small  physician  practices,  that  still  maintain  and  transmit  information  in 
paper  form.  In  order  to  protect  fully  the  confidentiality  of  health  information,  HHS 
should  apply  its  standards  to  all  information,  regardless  of  how  it  is  stored  or  trans- 
mitted. In  addition,  the  proposed  approach  would  create  an  undesirable  and  confus- 


Although  we  are  concerned  that  extending  our  regulatory  coverage  to  all  records  might  be 
inconsistent  wit  the  intent  of  the  provisions  of  HIPAA,  we  believe  that  we  do  have  the  authority 
to  do  so  and  that  there  are  sound  rationale  for  providing  a  consistent  level  of  protection  to  all 
individually  identifiable  health  information  held  by  covered  entities."  Id.  at  59,924. 

28U.S.C.A.  §1320d-2  (West  Supp.  1999),  "The  Committee  recognizes  the  role  of  the  private 
sector  in  establishing  innovative  data  transactions  systems  relating  to  electronic  ex- 
change. .  .privacy  standards,  and  electronic  signatures.  The  standards  adopted  would  protect 
the  privacy  and  confidentiality  of  health  information.  Health  information  is  considered  relatively 
'safe'  today,  and  because  it  is  secure,  but  because  it  is  difficult  to  access.  These  standards  im- 
prove access  and  establish  strict  privacy  protections."  Conference  Report  on  the  Health  Insur- 
ance Portability  and  Accountability  Act  of  1996,  H.  Rep.  No.  104-406  at  99  (1996),  reprinted 
in  5  U.S.C.C.A.N.  1,900  (1996). 
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ing  scenario  involving  "mixed"  records  with  certain  records  potentially  containing 
both  protected  and  unprotected  information.  This  would  place  administrative  bur- 
dens upon  providers  and  administrators  to  ensure  that  protected  health  information 
is  handled  appropriately. 

•  MGMA  supports  the  approach  adopted  by  HHS  in  the  proposed  rule 
that  would  not  require  a  patient's  authorization  to  use  or  disclose  pro- 
tected health  information  (PHI)  for  treatment,  payment,  and  "health  care 
operations."  Patients  expect  that  their  health  information  will  be  used  for  treat- 
ment and  payment  when  they  seek  medical  care.  Requiring  an  authorization  would 
be  a  mere  formality  and  not  serve  a  legitimate  purpose,  since  an  authorization  often 
is  obtained  prior  to  a  patient  receiving  medical  care.  MGMA  strongly  believes  that 
a  separate  authorization  should  not  be  required  for  health  care  operations,  since 
these  activities  are  directly  related  to  and  often  times  inseparable  from  treatment 
and  pa5rment. 

•  HHS  proposes  that  a  covered  entity  must  make  all  reasonable  efforts  not  to  use 
or  disclose  more  than  the  minimum  amount  of  protected  health  information  nec- 
essary to  accomplish  the  intended  purpose  of  the  use  or  disclosure.  While  the  in- 
tent behind  "minimum  necessary**  is  commendable,  MGMA  believes  this 
standard  places  an  unfair  burden  on  the  entity  making  a  disclosure  and 
may  interfere  with  patient  care  as  well  as  patient  safety  initiatives. 

•  While  MGMA  recognizes  the  importance  of  protecting  the  privacy  of 
health  information  in  all  hands,  we  strongly  object  to  the  "business  part- 
ner" proposal  and  recommend  that  HHS  completely  remove  the  liability 
provision  of  the  proposed  rule.  It  is  impractical  and  unrealistic  to  expect  a  cov- 
ered entity  to  monitor  and  determine  if  a  business  partner  is  compl5ring  with  the 
requirements  of  the  regulation.  In  addition,  as  outhned  in  the  rule,  an  individual 
could  sue  a  covered  entity  if  a  business  partner  inappropriately  discloses  informa- 
tion. However,  HIPAA  does  not  extend  to  HHS  the  authority  to  include  a  "private 
right  of  action,"  and  MGMA  beheves  HHS  is  attempting  to  circimivent  the  statute 
through  the  business  partner  proposal. 

•  MGMA  strongly  supports  the  principle  of  "scalability,"  which  provides 
practices  flexibility  in  complying  with  the  proposed  rule's  requirements. 
MGMA  applauds  HHS  for  recognizing  the  fact  that  the  magnitude  and  complexity 
of  the  proposed  rule  will  create  significant  monetary  and  administrative  burdens. 

The  ftdl  text  of  MGMA's  formal  comments  on  the  proposed  rule  is  posted  on  the 
PubUc  PoUcy  section  of  MGMA's  website  at  "http://www.mgma.com/legislation/. 
For  specific  questions  regarding  MGMA's  comments,  please  contact  Aaron  N.  Krupp, 
MGMA  Government  Affairs  Representative,  at  (202)  293-3450. 

Founded  in  1926,  MGMA's  membership  includes  more  than  7,100  organizations, 
representing  more  than  185,000  physicians.  MGMA  executive  offices  are  in  Engle- 
wood,  Colo. 


National  Association  of 
Insurance  Commissioners 
Washington,  DC  20001 

March  1,  2000 

The  Honorable  Wilham  Thomas 
Chair 

Subcommittee  on  Health 
Committee  on  Ways  and  Means 
1 136  Longworth  House  Office  Building 
Washington,  DC  20515S349 

Dear  Chairman  Thomas: 

The  National  Association  of  Insurance  Commissioners  (NAIC),  representing  the 
nation's  fifty-five  chief  insurance  regulators,  submits  the  enclosed  document  and 
asks  that  it  be  included  in  the  record  for  the  hearing  on  health  information  privacy 
held  by  your  subcommittee  on  February  17,  2000. 

The  enclosed  document  is  the  comment  letter  the  NAIC  sent  to  the  United  States 
Department  of  Health  and  Human  Services  regarding  its  proposed  health  informa- 
tion privacy  regulation.  The  letter  raises  many  concerns  including  the  following: 

•  Limited  Applicability  and  Scope: 

The  regulation  only  apphes  to  a  limited  group  of  entities  (health  plans,  health 
care  providers  and  health  care  clearinghouses)  and  only  applies  to  paper  records. 
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While  we  recognize  that  HHS  is  Umited  in  its  authority  and  j\irisdiction  to  apply 
the  standards  estabhshed  in  the  regulation,  we  think  the  regulation  should  apply 
to  a  broader  group  of  entities  that  use  and  disclose  protected  health  information  and 
should  apply  to  all  insurers,  not  just  health  insurers.  We  think  the  regulation 
should  protect  all  forms  of  individually  identifiable  health  information,  both  paper 
and  electronic. 

•  Preemption  of  State  Laws: 

While  we  appreciate  HHS'  intent  to  create  federal  minimum  standards,  to  pre- 
serve stronger  state  laws,  and  to  protect  certain  state  laws  from  any  preemption, 
the  NAIC  membership  has  serious  reservations  about  how  the  preemption  standard 
used  in  the  proposed  regulation  is  to  be  implemented.  The  general  rule  is  that  "pro- 
visions" of  state  law  are  preempted  to  the  extent  that  they  are  "contrary"  to  the  fed- 
eral statutory  and  regulatory  scheme.  We  have  found  similar  standards  not  to  be 
very  helpful  in  comparing  state  laws  to  federal  requirements.  A  state  must  examine 
all  its  laws  relating  to  health  information  privacy  to  determine  whether  or  not  its 
laws  are  contrary  to  the  requirements  in  the  proposed  regulation.  This  in  and  of 
itself  is  a  major  project  for  states  to  undertake. 

We  offer  a  suggestion  to  help  the  operation  of  and  to  ease  the  administrative  bur- 
den of  implementing  this  standard.  We  propose  that  the  states  be  given  the  greatest 
amount  of  flexibility  in  determining  what  the  necessary  scope  of  "provision"  is  when 
applying  the  general  rule's  contrary  standard.  In  the  regulation,  HHS  has  recog- 
nized that  states  know  their  laws  best  and  are  best  informed  about  how  to  apply 
their  laws.  The  NAIC  membership  believes  that  the  definition  should  preserve  to 
the  maximum  extent  possible  state  privacy  initiatives  that  extend  beyond  the  cov- 
ered subject  matter  of  the  proposed  regulation. 

•  Determination  Process: 

There  are  several  serious  flaws  with  this  proposed  process: 

•  First,  the  determination  process  is  overly  burdensome  for  states.  Not  only  do 
states  have  to  conduct  a  "contrary  analysis"  for  aU  of  their  laws  that  protect  health 
information  and  then  submit  requests  for  exceptions  to  HHS,  but  they  also  have  to 
wait  for  HHS  to  make  a  determination  in  order  for  the  states  to  enforce  their  laws. 

•  Second,  the  proposed  regulation  states  that  the  federal  standard  applies  until 
a  determination  is  made.  Cessation  of  state  regulation  in  the  interim  will  essentially 
leave  plans  unregulated  until  HHS  makes  a  determination.  We  beheve  the  current 
assiunption  in  the  proposed  regulation  that  the  federal  standard  applies  until  a  de- 
termination is  made  should  be  reversed.  State  laws  should  stand  until  and  unless 
HHS  has  determined  otherwise. 

•  Third,  the  proposed  regulation  does  not  establish  a  time  fi-ame  or  deadline  by 
which  HHS  has  to  issue  a  determination.  We  suggest  that  HHS  revise  its  regulation 
to  include  a  time  period  by  which  HHS  has  to  make  a  determination.  We  also  sug- 
gest that  if  HHS  does  not  make  a  determination  after  a  specified  amount  of  time, 
then  a  default  determination  should  be  issued  in  favor  of  the  state. 

•  Finally,  even  if  states  eire  granted  an  exemption  from  preemption  through  the 
HHS  determination  process,  there  is  a  three-year  time  limit  on  how  long  a  state  law 
is  exempt  pursuant  to  this  determination.  The  process  is  quite  burdensome  for  the 
states,  so  we  question  the  provision  requiring  states  to  ask  for  a  re-determination 
on  the  same  laws  every  three  years  as  a  waste  of  time  and  resources  for  the  states 
and  for  HHS.  The  time  limit  should  be  ehminated. 

•  Lack  of  Guidance  in  Classifying  State  Insurance  Laws: 

There  is  lack  of  guidance  regarding  state  laws  that  are  contrary  to  the  proposed 
regulation  but  that  could  fall  into  more  than  one  category  of  state  laws  that  are  ex- 
empt from  preemption.  State  insurance  laws  easily  could  fall  into  several  of  the  cat- 
egories of  exceptions.  An  example  is  a  state  law  regulating  health  insurance  plans 
(category  one)  that  is  more  stringent  than  the  federal  regulation  (category  two)  and 
requires  health  insurance  plans  to  report  information  (category  3).  We  request  that 
a  clarification  be  included  in  the  regulation  stating  that  if  a  state  law  faUs  within 
several  different  exceptions,  the  state  chooses  which  exception  shall  apply.  The  pre- 
sumption should  be  that  the  state  has  the  best  knowledge  of  its  laws  and  it  has 
correctly  classified  its  laws  in  the  appropriate  category  of  exceptions.  We  think  this 
simple  clarification  statement  will  avert  much  Utigation  and  prevent  state  insurance 
departments  from  having  to  defend  endless  challenges  to  their  classification  of  their 
laws. 

•  Lack  of  Clarity  in  Classifying  State  Insurance  Department  Activities: 

The  proposed  regulation  establishes  a  list  of  exceptions  to  the  authorization  re- 
quirement, such  that  protected  health  information  may  be  used  or  disclosed  without 
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authorization  in  certain  circumstances.  However,  under  the  HHS  proposed  regula- 
tion, the  activities  of  state  insurance  departments  fit  under  any  one  or  more  of  the 
following  three  exceptions:  (1)  for  disclosure  to  health  oversight  agencies  for  health 
oversight  activities;  (2)  for  disclosure  for  law  enforcement  purposes;  and  (3)  for  use 
and  disclosure  for  judicial  and  administrative  proceedings.  The  regulation  is  unclear 
about  the  role  of  insurance  departments  relative  to  these  exceptions,  and  each  of 
these  exceptions  has  its  own  requirements  and  processes.  We  ask  HHS  to  include 
language  in  the  text  of  the  proposed  regulation  stating  that  if  a  state  insurance  ac- 
tivity falls  within  several  different  exceptions,  the  state  chooses  which  exception 
shall  apply.  In  addition,  we  ask  HHS  to  recognize  the  broad  scope  of  legally  author- 
ized activities  performed  by  insurance  departments  and  to  reflect  those  activities  in 
the  regulation. 

•  Permitted  Versus  Required  Disclosure: 

Under  the  proposed  regulation  covered  entities  are  "permitted"  but  not  "required" 
to  disclose  necessary  protected  health  information  to  health  oversight  and  law  en- 
forcement agencies.  We  believe  that  covered  entities  under  investigation  by  a  state 
agency  shoiild  be  required  to  provide  that  state  agency  with  access  to  necessary 
health  information  when  performing  its  legally  mandated  duties.  This  disclosure 
should  not  be  optional.  By  not  requiring  insurers  to  provide  state  insurance  depart- 
ments with  access  to  records,  filings  and  other  documents  that  may  contain  individ- 
ually identifiable  information,  state  insurance  departments'  abiHty  and  authority  to 
perform  their  regulatory  responsibihties  is  imdermined.  In  addition,  obtaining  au- 
thorization from  aU  of  an  insurer's  clients  for  investigation  of  an  insurer's  business 
practices  is  not  feasible  or  practical. 

In  addition  to  these  concerns,  the  members  of  the  NAIC  would  appreciate  further 
discussions  with  the  witnesses  regarding  the  interaction  between  the  HHS  regula- 
tion and  the  privacy  requirements  found  in  the  newly  enacted  Gramm-Leach-Bliley 
Act. 

For  insights  into  the  NAIC's  position  regarding  the  issues  surrounding  proposed 
federal  health  information  privacy  legislation,  I  refer  you  to  the  testimony  the  NAIC 
submitted  to  your  subcommittee  on  July  20,  1999.  That  testimony  may  be  found  on 
our  website  at  http:/ / www.naic.org / Inews / testimonies  / index.htm. 

If  you  have  any  questions  please  contact  Mary  Beth  Senkewicz  at  (202)  624-7790. 
Sincerely, 

Kathleen  Sebelius, 

Vice-President  NAIC 
Chair,  Health  Insurance  Task  Force 
Commissioner  of  Insurance,  State  of  Kansas 

Enclosure 


February  15,  2000 

Margaret  Ann  Hamburg 

Assistant  Secretary  for  Planning  and  Evaluation 
United  States  Department  of  Health  and  Human  Services 
Hubert  H.  Humphrey  Building 
Room  G-322A 

200  Independence  Avenue,  S.W. 
Washington,  DC  20201 
Attention:  Privacy-P 

Dear  Assistant  Secretary  Hamburg: 

On  behalf  of  the  National  Association  of  Insurance  Commissioners  (NAIC)  Health 
Insurance  Task  Force,  I  hereby  submit  these  comments  on  the  proposed  rules  enti- 
tled, "Standards  for  Privacy  of  Individually  Identifiable  Health  Information,"  pub- 
Hshed  in  the  Federal  PvEGISTER  on  November  3,  1999  (64  Fed.  Reg.  59918-60065). 

The  NAIC  appreciates  the  Department  of  Health  and  Himian  Services'  (HHS)  ef- 
forts to  establish  standards  to  protect  the  privacy  of  individually  identifiable  health 
information  maintained  or  transmitted  in  connection  with  certain  administrative 
and  financial  transactions  and  to  provide  a  basic  level  of  protection  to  consimiers. 
We  too  imderstand  the  necessity  of  protecting  individuals'  health  information,  and 
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as  such,  we  have  adopted  stand-alone  model  privacy  legislation  ^  and  have  incor- 
porated privacy  protections  in  other  health-related  models.  In  general,  we  appreciate 
the  flexibility  afforded  the  states  in  the  HHS  proposed  regulation. 

Drafting  standards  that  protect  the  privacy  rights  of  individuals  with  respect  to 
highly  personal  health  information  is  a  difficult  task.  Like  you,  the  members  of  the 
NAIC  sought  to  write  standards  that  would  not  cripple  the  flow  of  useful  informa- 
tion, that  would  not  impose  prohibitive  costs  on  entities  affected  by  the  legislation, 
and  that  would  not  prove  impossible  to  implement  in  a  world  that  is  rapidly  chang- 
ing from  paper  to  electronic  records.  At  the  same  time,  the  members  of  the  NAIC 
recognized  the  need  to  assure  consumers  that  their  health  information  is  used  only 
for  the  legitimate  purposes  for  which  it  was  obtained,  and  that  this  information  is 
not  disclosed  without  the  consumer's  consent  or  knowledge  for  purposes  that  are 
likely  to  harm  or  offend  the  individual. 

Wliile  there  are  many  similarities  between  the  NAIC  Health  Information  Privacy 
Model  Act  and  the  proposed  regulation,  the  members  of  the  NAIC  have  serious  con- 
cerns about  the  proposed  regulation's  impact  on  the  ability  of  state  insurance  de- 
partments to  perform  their  jobs  and  handle  their  responsibilities,  which  include  pro- 
tecting consumers  and  eUminating  fraud. 

I.  NAIC  Model  in  Relation  to  the  Proposed  Regulation 
A  Background 

The  NAIC  adopted  its  "Health  Information  Privacy  Model  Act"  ("NAIC  Model 
Act")  in  September  1998  (Attachment  A).  This  model  has  a  more  narrow  focus  than 
the  NAIC's  "Insurance  Information  and  Privacy  Protection  Model  Act,"  which  was 
adopted  in  1980.  The  model  act  adopted  in  1980  addresses  the  privacy  of  all  individ- 
ually identifiable  information,  whereas  the  NAIC  Model  Act  adopted  in  1998  estab- 
lishes protections  for  £dl  health  information  and  for  protected  health  information. 
The  NAIC  Model  Act  was  developed  with  state  regulators,  representatives  of  the  in- 
surance and  managed  care  industries,  and  representatives  from  the  provider  and 
consumer  communities.  Our  model  was  developed  to  assist  the  states  in  drafting 
uniform  standards  for  ensuring  the  privacy  of  health  information. 

B.  Similarities 

The  HHS  proposed  privacy  regulation  addresses  many  of  the  same  issues  as  the 
NAIC  Model  Act.  Both  the  NAIC  Model  Act  and  the  proposed  regulation  estabUsh 
procedures  for  the  treatment  of  all  health  information  and  additional  specific  rules 
for  protected  health  information.  They  are  similar  in  their  basic  structures  and  the 
rights  conveyed  to  individuals  regarding  their  health  information. 

In  terms  of  structure,  the  NMC  Model  Act  and  the  regulation  prohibit  entities 
from  using  or  disclosing  health  information  except  as  authorized  by  the  patient  or 
as  specifically  permitted  by  the  Act  or  regulation.  (HHS  Proposed  Regulation 
§  164.506(a);  NAIC  Model  Act  §  lOA).  When  protected  health  information  is  used  or 
disclosed,  both  Umit  the  amoimt  of  information  used  or  disclosed  to  that  amount 
which  is  necessary  for  the  stated  purpose.  (HHS  §  164.506(b)(1);  NAIC  §10).  They 
both  establish  exceptions  to  the  authorization  requirement,  and  many  of  the  excep- 
tions to  the  authorization  requirement  in  the  NAIC  Model  Act  fall  under  what  the 
HHS  proposed  regulation  defines  as  treatment,  payment  or  health  care  operations. 
(HHS  §  164.510;  NAIC  §  11).  The  NAIC  Model  Act  and  the  proposed  regulation  place 
administrative  requirements  on  their  applicable  entities  (HHS  §  164.518,  164.520; 
NAIC  §5),  and  both  establish  civil  and  criminal  penalties  for  violations  (HHS 
§  164.522;  NAIC  §  15). 

In  terms  of  individuals'  rights  regarding  their  protected  health  information,  the 
NAIC  Model  Act  and  the  proposed  regulation  guarantee  similar  rights.  These  rights 
include:  (1)  the  right  to  inspect  and  copy  the  individual's  protected  health  informa- 
tion (HHS  §  164.514;  NAIC  §  7);  (2)  the  right  to  amend  and  correct  the  individual's 
protected  health  information  (HHS  §  164.516;  NAIC  §8);  (3)  the  right  to  receive  no- 
tice of  an  entity's  privacy  practices  (HHS  §164.512;  NAIC  §6);  (4)  the  right  to  re- 
ceive an  accounting  of  everyone  to  whom  protected  health  information  was  disclosed 
(HHS  §164.515;  NAIC  §9);  and  (5)  the  right  to  revoke  authorization  to  use  or  dis- 
close protected  health  information  (HHS  §  164.508(e);  NAIC  §  10). 

C.  Differences 

Even  though  the  NAIC  Model  Act  and  the  proposed  regulation  have  quite  a  few 
similarities,  there  are  significant  differences  that  concern  the  state  insurance  de- 
partments and  the  NAIC.  As  we  witnessed  in  the  legislative  proposals  offered  by 


iThe  "Health  Information  Privacy  Model  Act"  and  the  "Insurance  Information  and  Privacy 
Protection  Model  Act." 
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Congress,  the  smallest  details  can  have  a  huge  impact  on  how  the  privacy  standards 
effect  consumers  and  the  states.  Key  differences  are  in  scope  and  in  the  applicable 
entities  impacted  by  the  regulation. 

HHS  has  expressed  concern  that  because  of  its  limited  jurisdiction,  the  proposed 
regulation  only  apphes  to  electronic  health  information  and  only  applies  to  certain 
entities  (64  Fed.  Reg.  59923).  We  too  are  concerned  about  the  limited  reach  of  the 
proposed  regulation. 

1.  Scope  ("Summary  and  Purpose") 

Both  the  NAIC  Model  Act  and  the  proposed  regulation  establish  standards  to  pro- 
tect the  privacy  of  protected  health  information.  However,  the  proposed  regulation 
defines  protected  health  information  to  include  only  individually  identifiable  health 
information  that  is  or  has  been  transmitted  electronically  (HHS  §  164.504).  The  reg- 
ulation does  not  cover  paper  records.  On  the  other  hand,  the  NAIC  Model  Act  does 
not  distinguish  between  health  information  in  paper  format  and  health  information 
that  is  electronically  transmitted  and  maintained.  The  NAIC  Model  Act  protects  all 
forms  of  individually  identifiable  health  information,  both  paper  and  electronic.  We 
beheve  the  NAIC  Model  Act's  broader  scope  serves  to  better  protect  individuals' 
health  information.  (NAIC  §  4). 

HHS  requested  comment  on  whether  it  has  the  authority  to  extend  protections  to 
paper  as  well  as  electronic  information,  although  to  this  point,  HHS  has  Hmited  its 
regulations  to  electronic  information.  (64  Fed.  Reg.  59927).  We  suggest  that  since 
HHS  believes  it  has  the  authority  under  HIPAA  to  extend  these  regulatory  require- 
ments to  paper  and  electronic  records,  it  should  do  so.  Rather  than  wait  to  publish 
proposed  rules  that  will  govern  paper  records  in  the  near  future,  we  suggest  that 
HHS  address  paper  records  in  this  current  proposed  regulation.  The  protections  es- 
tabUshed  in  the  proposed  regulation  should  extend  to  both  paper  and  electronic  in- 
formation. 

2.  Applicable  Entities  ("AppHcability^') 

One  of  the  most  obvious  differences  between  the  NAIC  Model  Act  and  the  pro- 
posed regulation  is  in  the  scope  of  the  entities  to  which  the  respective  proposals 
would  apply.  The  NAIC  Model  Act  only  applies  to  insurance  carriers.  The  proposed 
regulation  is  broader  and  apphes  to  health  plans,  health  care  clearinghouses,  and 
health  care  providers  who  transmit  health  information  electronically.  (HHS 
§  160.102).  These  entities  are  referred  to  in  the  proposed  regulation  as  "covered  enti- 
ties." (HHS  §160.103). 

Although  the  proposed  regulation  generally  apphes  to  a  broader  range  of  entities 
than  the  NAIC  Model  Act,  we  are  concerned  that  "health  plan"  is  defined  in  the  pro- 
posed regulation  to  exclude  certain  insurers.  The  proposed  regulation  clarifies  the 
definition  of  "health  plan"  estabHshed  under  HIPAA  to  include  a  health  insurance 
issuer,  a  health  maintenance  organization,  a  Medicare  supplement  policy,  and  a 
long  term  care  policy.  (HHS  §160.103)  As  such,  the  proposed  regulation  would  not 
apply  to  certain  types  of  insurance  entities,  even  if  they  provide  coverage  for  health 
care  services  or  use  information  found  in  an  individual's  medical  record  (i.e.,  life  in- 
surers, workers'  compensation  insurers,  automobile  insurers,  other  property-cas- 
ualty insurers,  and  insurers  offering  certain  limited  benefits)  (64  Fed.  Reg.  59923, 
59932).  The  NAIC  Model  Act  applies  to  all  insurers,  regardless  of  the  products  that 
they  sell. 

While  we  recognize  the  limited  jurisdiction  of  HHS  under  HIPAA  with  respect  to 
insurers,  we  recommend  the  approach  of  the  NAIC  Model  Act,  which  apphes  to  all 
insurance  carriers  and  is  not  limited  to  health  insurers.  (NAIC  §  4).  The  NAIC  had 
an  extensive  pubhc  discussion  about  whether  the  NAIC  Model  Act  should  apply  only 
to  health  insurance  carriers,  or  instead,  to  all  carriers.  Health  insurance  carriers  are 
not  the  only  types  of  carriers  that  use  health  information  to  transact  their  business. 
Health  information  is  often  essential  to  life  insurers  in  issuing  pohcies  and  to  prop- 
erty and  casualty  insurers  in  settling  workers'  compensation  claims  and  automobile 
claims  involving  personal  injury,  for  example.  Reinsurers  also  use  protected  health 
information  to  write  reinsurance.  The  NAIC  concluded  that  it  was  illogical  to  apply 
one  set  of  rules  to  health  insurance  carriers  but  different  rules,  or  no  rules,  to  other 
carriers  that  were  using  the  same  type  of  information. 2  Consumers  deserve  the 


2  The  NAIC  Model  Act  does  allow  exceptions  from  the  authorization  requirement  for  certain 
insurers  to  conduct  certain  activities.  These  include:  (a)  when  the  protected  health  information 
is  necessary  to  the  performance  of  the  carrier's  obligations  under  any  workers'  compensation  law 
or  contract;  and  (b)  when  collecting  protected  health  information  from  or  disclosing  protected 
health  information  to  a  reinsvirer,  stop  loss  or  excess  loss  carrier  for  the  purpose  of  underwTit- 
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same  protection  with  respect  to  their  health  information,  regardless  of  the  entity 
using  it.  Nor  is  it  equitable  to  subject  health  insurance  carriers  to  more  stringent 
rules  than  those  apphed  to  other  insurers.  Our  model  applies  to  all  insurance  car- 
riers and  establishes  uniform  rules  to  the  greatest  extent  possible.  The  NAIC  sup- 
ports privacy  protections  that  apply  to  individually  identifiable  health  information 
wherever  it  resides. 

//.  Comments  on  Preemption  ("Relationship  to  State  Laws") 

A.  General  Comments  on  Preemption 

Preemption  of  state  law  is  a  key  issue  for  the  states  and  the  NAIC  membership. 
As  we  stated  in  our  May  4,  1999  letter  to  Congress  (Attachment  B)  and  in  Congres- 
sional testimony  (Attachment  C)^,  the  federal  government  must  recognize  the  im- 
pact of  any  privacy  legislation  or  regulations  on  existing  state  laws.  States  have  en- 
acted many  laws  designed  to  protect  an  individual's  health  information  in  a  variety 
of  areas.  These  state  protections  appear  in  many  locations  within  a  state's  statutes 
and  regulations,  and  many  times  address  programs  or  uses  of  health-related  infor- 
mation that  are  unique  to  a  particular  state.  In  addition,  states  have  carefully  con- 
sidered when  to  allow  use  and  disclosure  of  health  information  without  authoriza- 
tion, such  as  in  cases  of  investigations  and  audits  of  health  insurers  by  state  insur- 
ance departments.  States  have  enacted  legislation  and  regulations  after  balancing 
the  individual's  right  to  keep  health  information  confidential  against  the  legitimate 
purposes  for  disclosure. 

While  we  oppose  the  preemption  of  state  law,  we  understand  the  desire  to  estab- 
lish a  minimum  standard  in  this  area  due  to  several  factors.  First,  the  transmission 
of  health  information,  as  opposed  to  the  delivery  of  health  care  services,  is  not  al- 
ways a  local  activity.  Health  information  is  transmitted  across  state  and  national 
boundaries.  Second,  while  the  NAIC  has  developed  model  legislation  for  the  states 
to  enact  to  protect  individuals'  health  information  that  is  collected,  used  and  dis- 
closed by  insurance  carriers,  the  reality  is  that  our  jurisdiction  is  Umited  to  insur- 
ance. Because  health  information  privacy  encompasses  more  issues  than  insurance 
and  more  entities  than  insurers,  we  understand  the  desire  for  broader  regulations. 
As  a  result,  the  members  of  the  NAIC  have  concluded  that  the  privacy  of  health 
information  is  an  area  where  it  may  be  appropriate  for  the  federal  government  to 
set  a  minimum  standard. 

However,  it  should  be  noted  that  up  until  this  point  there  has  been  no  federal 
standard  in  place.  Rather,  states  have  been  the  protector  of  consumers  in  this  area. 
Any  federal  action  must  recognize  this  fact  and  make  allowances  for  it.  The  NAIC 
supports  establishing  a  minimum  federal  level  of  protection  for  health  information, 
as  long  as  stronger  state  laws  are  preserved.  We  do  not  want  to  see  health  informa- 
tion that  currently  enjoys  a  high  level  of  protection  under  state  law  end  up  with 
less  protection  under  the  proposed  regulation. 

For  these  reasons,  we  appreciate  HHS'  intent  to  create  minimum  standards,  to 
preserve  stronger  state  laws,  and  to  protect  certain  state  laws  from  any  preemption. 
However,  it  is  critical  that  the  proposed  regulation  not  undermine  the  progress  of 
the  states  in  implementing  legislation  that  protects  health  information  privacy  and 
not  undermine  states'  abilities  to  regulate  entities  over  which  they  have  jurisdiction. 
It  is  also  critical  that  the  proposed  regulation,  in  its  attempt  to  preserve  state  pri- 
vacy laws,  not  make  the  process  for  states  to  enforce  their  laws  so  burdensome  that 
the  process  only  works  in  theory  and  not  in  reality. 

B.  Preemption  Standard  in  the  Proposed  Regulation 

In  the  Health  Insurance  Portability  and  Accountability  Act  of  1996  (HIPAA),  Con- 
gress directed  HHS  to  implement  privacy  regulations  if  Congress  failed  to  meet  the 
statutory  August  21,  1999  deadline  to  enact  legislation.  Congress  also  directed  HHS 
to  implement  regulations  that  would  not  supercede  a  contrary  provision  of  state  law 
if  the  state  law  is  more  stringent  than  the  regulation  (HIPAA  Sec.  264).  While  we 
appreciate  the  expressed  intent  of  HHS  in  the  preamble  to  preserve  stronger  state 
privacy  laws  and  to  protect  other  specific  state  privacy  laws  from  preemption  (64 
Fed.  Reg.  59994-59999),  we  have  concerns  about  the  language  and  structure  used 
in  the  proposed  regulation's  general  rule  and  the  three  categories  of  exceptions  to 


ing,  claims  adjudication  and  conducting  claim  file  audits.  However,  these  entities  are  subject  to 
the  rest  of  the  model's  provisions. 

3  Latest  testimony  dated  July  20,  1999,  before  the  House  Ways  and  Means  Committee,  Sub- 
committee on  Health  is  attached  (Attachment  C).  The  NAIC  also  testified  two  other  times  in 
1999  on  this  issue:  May  27,  1999  before  the  House  Commerce  Committee,  Subcommittee  on 
Health  and  the  Environment;  and  April  27,  1999  before  the  Senate  Health,  Education,  Labor 
and  Pensions  Committee. 
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the  general  rule.  The  preemption  analysis  used  in  the  regulation  is  confusing  and 
leaves  many  questions  unanswered.  Although  the  general  rule  and  the  exceptions 
were  established  in  HIPAA  by  Congress,  not  by  HHS,  we  believe  HHS  needs  to 
make  some  clarifications  in  the  proposed  regulation  in  order  to  effectively  and  effi- 
ciently implement  these  standards. 

C.  The  Proposed  Regulation's  General  Rule  and  Exceptions  (HHS  §  160.203, 
160.204) 

1.  General  Rule 

The  NAIC  membership  has  serious  reservations  about  how  the  preemption  stand- 
ard used  in  the  proposed  regulation  is  to  be  implemented.  The  general  rule  estab- 
lished in  HIPAA  Section  262  and  used  in  the  current  proposed  regulation  states 
that  provisions  of  state  law  are  preempted  to  the  extent  that  they  are  contrary  to 
the  federal  statutory  and  regulatory  scheme.  "Contrar/'  is  defined  in  the  proposed 
regulation  such  that:  (1)  complying  with  both  state  and  federal  requirements  would 
be  impossible;  or  (2)  obeying  state  law  prevents  the  accomplishment  and  execution 
of  the  fiill  purposes  and  objectives  of  the  regulation  (HHS  §  160.202).  HHS  has  spe- 
cifically requested  comment  on  how  these  proposed  criteria  would  be  likely  to  oper- 
ate with  respect  to  particular  state  privacy  laws  (64  Fed.  Reg.  59997). 

While  we  recognize  that  HHS,  in  defining  contrary,  has  used  the  standards  devel- 
oped by  the  courts  for  conflict  preemption  (64  Fed.  Reg.  59997),  we  would  note  that 
in  the  past  we  have  found  similar  definitions  not  to  be  very  helpful  in  comparing 
state  laws  to  federal  requirements.  We  encounter  a  similar  difficulty  when  conduct- 
ing a  conflict  analysis  for  ERISA  preemption  using  the  "relates  to"  standard.  Using 
the  conflict  analysis,  a  state  must  examine  all  its  laws  relating  to  health  informa- 
tion privacy  to  determine  whether  or  not  its  laws  are  contrary  to  the  requirements 
in  the  proposed  regulation.  This  in  and  of  itself  is  a  major  project  for  states  to  un- 
dertake. Just  identifying  all  of  the  laws,  let  alone  comparing  them  to  the  federal 
regulation,  is  time-consuming  and  confusing  for  states.  However,  in  response  to 
HHS'  request  for  comment,  we  offer  a  suggestion  to  help  the  operation  of  and  to 
ease  the  administrative  burden  of  implementing  this  standard. 

We  believe  that  how  the  term  "provision"  is  defined  will  effect  the  practical  imple- 
mentation of  the  general  rule.  We  propose  that  the  states  be  given  the  greatest 
amount  of  flexibility  in  determining  what  the  necessary  scope  of  "provision"  is  when 
applying  the  general  rule's  contrary  standard.*  HHS  has  recognized  that  states 
know  their  laws  best  and  are  best  informed  about  how  to  apply  their  laws.  (64  Fed. 
Reg.  59998).  The  NAIC  membership  believes  that  the  definition  should  preserve  to 
the  maximum  extent  possible  state  privacy  initiatives  that  extend  beyond  the  cov- 
ered subject  matter  of  the  proposed  regulation. 

According  to  the  preamble,  when  applying  the  general  rule,  what  will  be  com- 
pared are  state  and  federal  requirements  that  are  analogous,  i.e.,  that  address  the 
same  subject  matter.  If  there  is  a  state  provision  and  no  analogous  provision  in  fed- 
eral law,  there  is  nothing  to  compare  and  no  issue  of  a  contrary  requirement.  (64 
Fed.  Reg.  59995).  Consequently,  if  the  state  law  is  not  contrary,  the  state  law 
stands.  If  the  state  law  is  contrary,  the  state  must  go  to  the  next  step  in  the  analy- 
sis to  see  if  a  contrary  state  law  can  still  be  saved  from  preemption  by  qualifying 
as  one  (or  more)  of  the  three  categories  of  exemptions.  We  believe  these  are  impor- 
tant statements  and  should  be  included  as  guidance  in  the  regulation  itself,  not  just 
in  the  preamble. 

2.  Exceptions  to  Preemption  of  Contrary  State  Laws 

The  exceptions  to  preemption  for  state  laws  that  are  contrary  to  the  proposed  reg- 
ulation fall  into  three  categories:  (1)  those  state  laws  that  require  a  determination 
by  the  Secretary  that  they  are  necessary  for  certain  purposes  as  set  out  in  HIPAA 
(HHS  §  160.203(a);  (2)  those  state  laws  that  relate  to  the  privacy  of  individually 
identifiable  health  information  that  are  contrary  to  but  more  stringent  than  the  fed- 
eral requirements  (HHS  §  160.203(b));  and  (3)  those  state  laws  that  are  exphcitly 
carved  out  or  exempted  from  the  general  rule  of  preemption  (HHS  §  160.203  (c), 
(d)). 

These  exceptions  are  established  in  the  HIPAA  statute,  so  we  understand  that 
HHS  is  prevented  fi-om  adding  or  deleting  any  exceptions  and  is  limited  in  how 
these  exceptions  are  used.  However,  we  have  comments  and  concerns  regarding 
each  category  of  exceptions.  Our  most  serious  concerns  lie  with  the  exceptions  that 
require  a  determination  by  the  Secretary.  We  also  seek  clarification  regarding  how 


^Our  suggestion  addresses  HHS'  request  for  comment  on  how  the  term  "provision"  might  be 
defined  (64  Fed.  Reg.  59995). 
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these  exceptions  work  on  a  practical  level  if  a  state  law  falls  into  more  than  one 
category  of  exception. 

a.  Exceptions  Requiring  a  Determination  by  the  Secretary  (Category  One) 

Under  this  exception,  a  state  may  continue  to  enforce  a  contrary  provision  of  state 
law  that  falls  into  one  of  five  categories,^  but  only  after  obtaining  a  favorable  deter- 
mination fi*om  the  Secretary  of  HHS.  As  set  forth  in  the  proposed  regulation,  if  a 
state  wants  to  continue  to  enforce  a  contrary  provision  of  state  law  that  falls  under 
one  of  the  listed  categories,  the  state  must  submit  a  written  request  with  detailed 
information  to  the  Secretary  seeking  an  exception  to  the  preemption.  Until  the  Sec- 
retar/s  determination  is  made,  the  federal  requirement  remains  in  effect.  The  Sec- 
retary will  deny  a  request  if  it  determines  that  the  federal  requirement  accom- 
plishes the  law's  purpose  as  well  as  or  better  than  the  state  law  for  which  the  re- 
quest is  made.  If  an  exception  is  granted,  it  is  effective  for  three  years  or  for  such 
lesser  time  as  is  specified  in  the  determination  granting  the  request.  (HHS 
§  160.204(a)). 

We  believe  there  are  several  serious  flaws  with  this  proposed  process.  Our  pri- 
mary concern  is  that  the  determination  process  is  overly  burdensome  for  states.  Not 
only  do  states  have  to  conduct  a  "contrary  analysis"  for  all  of  their  laws  that  protect 
health  information  and  then  submit  requests  for  exceptions  to  HHS,  but  they  also 
have  to  wait  for  HHS  to  make  a  determination  in  order  for  the  states  to  enforce 
their  laws. 

We  are  very  concerned  about  the  provision  in  the  proposed  regulation  that  states 
that  the  federal  standard  applies  until  a  determination  is  made  (the  statute  is  silent 
on  this  issue)  (HHS  §  160.204(a)(2)).  This  provision  is  unacceptable  for  insurance 
departments  that  are  charged  with  protecting  the  citizens  of  the  state  and  enforcing 
state  laws  regulating  health  plans.  Cessation  of  state  regulation  in  the  interim  will 
essentially  leave  plans  unregulated  until  HHS  makes  a  determination.  The  NAIC 
membership  does  not  believe  that  the  states  should  be  hampered  in  their  legal  du- 
ties by  having  their  laws  preempted  until  they  can  prove  to  HHS  that  their  laws 
are  "necessary"  for  their  states.  States  have  passed  privacy  laws  after  careful  con- 
sideration and  debate,  and  they  should  not  have  to  ask  HHS  for  permission  to  en- 
force their  own  laws. 

We  offer  a  simple  solution  to  this  problem  that  would  work  within  the  confines 
of  HIPAA  and  HHS'  jurisdiction.  The  current  assumption  in  the  proposed  regulation 
that  the  federal  standard  applies  imtil  a  determination  is  made  should  be  reversed. 
We  believe  there  is  enough  latitude  in  the  statute  (i.e.  the  statute  is  silent)  to  re- 
verse the  presumption,  so  that  a  state  law  stands  until  and  imless  HHS  has  deter- 
mined otherwise.  The  presumption  should  be  in  favor  of  the  state's  interpretation 
of  its  law.  This  reversal  is  necessary  to  avoid  a  regulatory  vacuum,  especially  con- 
sidering that  the  regulation  does  not  establish  a  time  frame  within  which  the  Sec- 
retary must  make  a  decision.  As  a  result,  we  believe  state  law  should  stand  while 
HHS  is  making  a  determination. 

On  a  related  note,  the  NAIC  membership  questions  whether  HHS  is  prepared  to 
conduct  determinations  for  all  50  states'  laws.  After  states  complete  their  "contrary 
analysis,"  they  will  submit  their  state  laws  to  HHS  to  make  a  determination.  State 
privacy  laws  are  found  in  many  different  areas  of  a  state's  statutes  and  regulations, 
so  the  Secretary  may  receive  a  number  of  requests  per  state.  Without  an  increase 
in  funding  for  HHS  and  the  development  of  HHS'  infrastructure,  HHS  will  not  be 
able  to  handle  the  volume  of  preemption  determination  requests  from  the  states. 

Another  problem  with  the  proposed  regulation  is  the  lack  of  details  about  the  de- 
termination process.  The  proposed  regulation  does  not  establish  a  time  frame  or 
deadline  by  which  HHS  has  to  issue  a  determination.  States  could  be  waiting  for 
years  or  indefinitely  to  find  out  whether  HHS  will  grant  an  exemption.  Such  indeci- 
sion could  have  a  dampening  effect  on  a  state's  ability  to  pass  further  legitimate 
legislation.  We  suggest  that  HHS  revise  its  regulation  to  include  a  time  period  by 
which  HHS  has  to  make  a  determination.  We  also  suggest  that  if  HHS  does  not 
make  a  determination  after  a  specified  amount  of  time,  then  a  default  determination 
should  be  issued  in  favor  of  the  state. 


5  The  five  categories  are:  (1)  the  provision  of  state  law  is  necessary  to  prevent  fraud  and  abuse 
(emphasis  added);  (2)  the  provision  of  state  law  is  necessary  to  ensure  appropriate  state  regula- 
tion of  insurance  health  plans  (emphasis  added);  (3)  the  provision  of  state  law  is  necessary  for 
state  reporting  on  health  care  delivery  or  costs;  (4)  the  provision  of  state  law  is  necessary  for 
other  purposes  related  to  improving  the  Medicare  program,  the  Medicaid  program,  or  the  effi- 
ciency and  effectiveness  of  the  health  care  system;  and  (5)  the  provision  of  state  law  addresses 
controlled  substances.  The  italicized  exceptions  are  of  particular  interest  to  the  state  insurance 
departments  as  the  regulators  of  the  insurance  industry.  (HHS  §  160.203(a)). 


153 


We  also  are  bothered  by  the  fact  that  even  if  states  are  granted  an  exemption 
from  preemption  through  the  HHS  determination  process,  there  is  a  time  hmit  on 
how  long  a  state  law  is  exempt  pursuant  to  this  determination  (HHS  § 
160.203(a)(4).  The  process  is  quite  burdensome  for  the  states,  so  we  question  the 
provision  requiring  states  to  ask  for  a  re-determination  on  the  same  laws  every 
three  years  as  a  waste  of  time  and  resources  for  the  states  and  for  HHS.  HHS 
should  eliminate  the  three-year  limit  on  how  long  the  exemption  is  effective. 

We  are  also  concerned  that  there  is  no  requirement  in  the  regulation  regarding 
giving  notice  to  the  states  and  others  that  HHS  has  made  a  determination,  other 
than  an  annual  publication  in  the  Federal  Register  of  all  determinations  made  by 
HHS.  (HHS  §  160.203(a)(8).  More  frequent  notices,  such  as  quarterly,  should  be 
made.  We  also  suggest  that  HHS  provide  more  details  in  the  proposed  regulation 
about  the  factors  it  will  consider  in  its  determination  process  and  if  there  is  a  for- 
mula HHS  will  use  to  decide  whether  a  state  will  be  granted  an  exemption. 

b.  Exception  for  State  Laws  that  are  More  Stringent  than  the  Regulation  (Category 
Two) 

The  second  exception  allows  a  state  to  continue  to  enforce  a  contrary  provision 
of  state  law  that  relates  to  the  privacy  of  health  information  if  it  is  more  stringent 
than  a  standard,  requirement,  or  implementation  specification  adopted  imder  the 
proposed  regulation.  More  stringent  is  broadly  defined  in  the  proposed  regulation 
as  providing  greater  privacy  protections  for  the  individual.  A  state  is  not  required 
to  obtain  a  determination  about  whether  a  provision  of  its  law  meets  this  exception. 
However,  the  Secretary  on  her  own,  or  at  the  request  of  a  state,  may  issue  an  advi- 
sory opinion  as  to  whether  a  provision  of  state  law  meets  this  exception.  (HHS  § 
160.204(b)). 

In  the  NAIC's  Congressional  testimony  (see  attached),  we  supported  the  establish- 
ment of  minimum  standards  in  the  area  of  health  information  privacy,  and  we 
urged  Congress  to  outline  a  way  in  its  legislation  for  the  states  to  measure  their 
laws  against  any  federal  standard.  We  appreciate  that  HHS  has  chosen  to  establish 
minimum  federal  standards  and  has  included  guidehnes  for  states  to  measure  their 
laws  against  the  proposed  regulation  (i.e.,  less  disclosure  to  others;  greater  right  of 
access  to  health  information  by  the  individual;  greater  penalties;  narrower  scope  of 
authorization;  longer  record-keeping  requirements  and  accounting  requirements.). 
States  need  to  be  able  to  judge  whether  their  state  laws  are  stronger  than  any  fed- 
eral standard  in  order  to  determine  whether  they  need  to  take  further  action  to  re- 
vise their  laws.  By  defining  "more  stringent'"  in  the  proposed  regulation,  HHS  has 
offered  several  different  examples  of  what  qualifies  as  more  stringent  as  guidance 
to  the  states,  with  the  overriding  principle  of  more  protection  to  the  individual 
whose  information  is  being  used  or  disclosed.  (HHS  §  160.202). 

Additionally,  we  support  HHS'  decision  to  limit  the  parties  who  may  request  advi- 
sory opinions  to  the  states  and  the  Secretary  of  HHS.  (HHS  §  160.204(b)(1);  64  Fed. 
Reg.  59998).  We  do  not  beheve  that  insurers  should  be  allowed  to  request  an  advi- 
sory opinion  and  open  every  state  law  up  to  challenge  and  to  review  by  HHS. 

We  do  have  one  concern  regarding  this  exception  that  we  believe  could  be  resolved 
with  explicit  clarification.  Since  the  federal  regulation  only  applies  to  indi\'idually 
identifiable  health  information  that  is  electronically  maintained  and  transferred  and 
it  only  applies  to  health  insurers,  not  all  insurers,  we  would  like  assurance  that  the 
NAIC  Model  Act  and  similar  state  laws,  which  have  a  much  broader  scope  (apply 
to  all  forms  of  transmission  and  to  all  insurers),  would  be  viewed  as  more  stringent 
and  would  be  allowed  to  stand  under  the  proposed  regulation.  We  believe  that  these 
broader  state  laws  would  fall  under  the  category  of  "providing  greater  privacy  pro- 
tection for  the  individual,"  but  explicit  clarification  in  the  preamble  or  text  or  even 
inclusion  in  the  list  of  examples  would  be  appreciated.  The  regulation  should  pre- 
serve state  laws  to  the  maximum  extent  possible  and  allow  states  to  enforce  their 
laws  as  they  apply  to  entities  and  situations  that  are  beyond  the  scope  of  the  regula- 
tion. 

Overall,  we  are  supportive  of  this  exception  and  how  HHS  has  addressed  the  issue 
in  the  regulation.  This  federal  floor  exception  will  still  require  the  states  to  analyze 
their  laws  regarding  whether  the  laws  are  contraiy  and  more  stringent  than  the 
proposed  regulation.  However,  the  states  will  not  have  to  go  through  the  burden- 
some process  as  required  by  the  category  one  exceptions,  and  they  will  not  be  pre- 
vented from  enforcing  their  laws  waiting  for  a  determination.  In  addition,  this  ex- 
ception allows  states  to  enact  stronger  laws  where  and  when  they  are  needed  and 
to  enact  laws  in  the  future  to  address  changes  in  technology  and  in  the  use  of  health 
information  and  to  address  state-specific  issues. 
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c.  Exceptions  that  are  State  Law  Carve-Outs  (Category  Three) 

Under  the  third  category  of  exceptions,  a  state  may  continue  to  enforce  a  contrary 
provision  of  state  law  that  the  meets  one  of  the  two  specified  exceptions:  (1)  provi- 
sions of  state  law  requiring  the  reporting  of  disease  or  injury,  child  abuse,  birth  or 
death,  or  for  the  conduct  of  public  health  surveillance,  investigation  or  intervention; 
and  (2)  provisions  of  state  law  requiring  a  health  plan  to  report,  or  to  provide  access 
to,  information  for  the  purpose  of  management  audits,  financial  audits,  program 
monitoring  and  evaluation,  facility  licensure  or  certification,  or  individual  licensure 
or  certification  (emphasis  added).  (HHS  §  160.203(c),  (d)).  No  mechanism  is  required 
or  available  under  the  proposed  regulation  for  determining  whether  a  state  law 
meets  one  of  these  complete  carve  out  exceptions.  It  appears  to  be  left  up  to  the 
discretion  of  the  states,  although  the  NAIC  membership  requests  that  HHS  affirma- 
tively state  this  fact. 

The  second  carve  out  above  is  of  interest  to  us.  Although  state  insurance  laws 
would  qualify  for  this  exception,  we  are  concerned  with  the  scope  of  the  exemption 
regarding  oversight  of  health  plans.  We  realize  this  list  of  activities  related  to  state 
insurance  department  oversight  is  set  forth  in  HIPAA  §262  (Social  Security  Act 
§  1178);  however,  the  preamble  of  the  proposed  regulation  explains  that  §  1178 
carves  out  an  area  which  the  states  traditionally  have  regulated  and  which  the  stat- 
ute intends  to  preserve  for  the  states  (64  Fed.  Reg.  59999).  We  are  concerned  be- 
cause the  list  has  omitted  some  very  important  activities  that  are  traditionally  regu- 
lated by  the  states  in  the  area  of  health  care,  specifically  such  activities  as  market 
conduct  examinations,  enforcement  investigations  or  consumer  complaint  handling. 
While  it  is  possible  that  these  functions  may  be  included  within  other  categories 
that  are  itemized,  it  is  certainly  not  clear  that  these  fimctions  would  fall  within  the 
exemption.  The  NAIC  membership  thinks  that  the  proposed  regulation  should  recog- 
nize that  these  and  other  state  insurance  department  activities  are  covered  under 
this  exception.  The  stated  intent  is  to  preserve  an  area  of  law  traditionally  regulated 
by  the  states,  therefore  we  request  that  the  regulation  clarify,  either  in  the  pre- 
amble or  the  text,  that  a  broad  scope  of  state  insurance  department  activities  fall 
within  this  carve  out. 

3.  Interaction  Among  the  Three  Categories  of  Exceptions 

We  request  a  clarification  regarding  state  laws  that  are  contrary  to  the  proposed 
regulation  but  that  could  fall  into  more  than  one  category  of  exception.  Clearly  the 
proposed  regulation  contemplates  a  state  law  falling  into  more  than  one  exception 
(HHS  §  160.203),  especially  since  the  three  categories  of  exceptions  are  drawn  broad- 
ly. We  believe  state  insurance  laws  easily  could  fall  into  several  categories  of  excep- 
tions. An  example  is  state  laws  regulating  health  insurance  plans  (category  one) 
that  are  more  stringent  than  the  federal  regulation  (category  two)  and  require 
health  insurance  plans  to  report  information  (category  3).  However,  this  language 
raises  several  questions:  (1)  If  a  state  law  falls  into  more  than  one  exception,  do 
states  get  to  choose  which  category  of  exception  applies?  (2)  Will  insurers,  consum- 
ers or  others  be  allowed  to  sue  state  insurance  departments  if  they  do  not  agree 
with  the  departments'  classifications  of  the  laws?  (3)  Will  this  issue  result  in  litiga- 
tion in  order  to  resolve  which  category  of  exception  any  particular  state  law  falls 
into?  We  think  a  simple  clarification  statement  in  the  regiilation  will  answer  these 
questions. 

We  ask  HHS  to  include  language  in  the  text  of  the  proposed  regulation  stating 
that  if  a  state  law  falls  within  several  different  exceptions,  the  state  chooses  which 
exception  shall  apply.  Clearly,  the  states  would  prefer  a  category  three  exception 
(complete  carve-out)  over  a  category  two  exception  (optional  advisory  opinion),  and 
a  category  two  exception  over  a  category  one  exception  (required  prior  determina- 
tion). The  presumption  should  be  that  the  state  has  the  best  knowledge  of  its  laws 
and  it  has  correctly  classified  its  laws  in  the  appropriate  category  of  exceptions. 
HHS  even  recognized  in  the  preamble  that  states  are  the  most  knowledgeable  about 
their  own  laws.  (64  Fed.  Reg.  59998).  We  think  this  simple  clarification  statement 
will  avert  much  litigation  and  prevent  state  insurance  departments  from  having  to 
defend  endless  challenges  to  their  classification  of  their  laws. 

///.  Comments  on  Exceptions  from  the  Authorization  Requirement  for  Disclosure  to 
Health  Oversight  Agencies  for  Health  Oversight  Activities  (HHS  §  164.510(c));  for 
Disclosure  for  Law  Enforcement  Purposes  (HHS  §164.510(0);  and  for  Use  and  Dis- 
closure for  Judicial  and  Administrative  Proceedings  (HHS  §  164.510(d)).  ("Health 
Oversight,"  "Law  Enforcement,"  and  "Judicial  and  Administrative  Proceedings") 

A.  Classification  of  State  Insurance  Departments 

Similar  to  the  NAIC  Model  Act,  the  proposed  regulation  establishes  a  list  of  ex- 
ceptions to  the  authorization  requirement,  such  that  protected  health  information 
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may  be  used  or  disclosed  without  authorization  in  certain  ciraimstsmces.  However, 
under  the  HHS  proposed  regulation,  the  activities  of  state  insurance  departments 
fit  under  any  one  or  more  of  the  following  three  exceptions:  (1)  for  disclosure  to 
health  oversight  agencies  for  health  oversight  activities;  (2)  for  disclosure  for  law  en- 
forcement purposes;  and  (3)  for  use  and  disclos\ire  for  judicial  and  administrative 
proceedings.  The  regulation  is  imclear  about  the  role  of  insurance  departments  rel- 
ative to  these  exceptions. 

1.  Health  Oversight  Agencies  and  Their  Activities  (HHS  §  164.510(c)) 

The  definition  of  "health  oversight  agency"  ^  most  clearly  encompasses  and  applies 
to  state  insurance  departments.  Although  the  preamble  specifically  lists  state  insur- 
ance departments  as  included  in  this  category,  we  suggest  including  this  statement 
in  the  text  of  the  regulation,  not  just  the  preamble  (64  Fed.  Reg.  59958). 

The  proposed  regulation  provides  an  exception  to  the  authorization  requirement 
for  disclosure  to  health  oversight  agencies  for  conducting  health  oversight  activities. 
According  to  the  proposed  regulation,  these  health  oversight  activities  authorized  by 
law  include  audits;  investigations;  inspections;  civil,  criminal  or  administrative  pro- 
ceedings or  actions;  and  other  activities  necessary  for  appropriate  oversight  of:  i)  the 
health  care  system;  ii)  government  benefit  programs  for  which  health  information 
is  relevant  to  beneficiary  eligibility;  or  iii)  government  regulatory  programs  for 
which  health  information  is  necessary  for  determining  compUance  with  program 
standards  (HHS  §  164.510(c)(1)). 

We  are  particularly  concerned  about  the  scope  of  the  exemption  in  terms  of  the 
Hsted  activities  that  are  included  for  state  oversight  of  health  plans.  While  the  Ust 
includes  a  large  catch-all  category  for  "other  activities  necessary  for  appropriate 
oversight  of  the  health  care  system,  government  benefit  programs,  or  of  government 
regulatory  programs,"  the  list  fails  to  include  other  oversight  activities  that  are  of 
such  importance  to  state  insurance  departments  that  they  should  be  specifically  list- 
ed. Some  of  these  oversight  activities  that  are  traditionally  conducted  by  the  states 
are:  market  conduct  examinations;  consumer  complaint  handHng;  solvency  and  fi- 
nancial examinations;  rehabilitation  and  Uquidation;  investigations;  audits;  fraud 
activities;  establishing  and  enforcing  legal  or  fiscal  standards  relating  to  the  regula- 
tion of  the  business  of  insurance,  including  claims,  underwriting,  sales,  and  man- 
aged care;  assessments,  evaluations,  determinations;  initiation  of  administrative, 
civil  or  criminal  proceedings;  compUance  and  enforcement  of  laws  or  regulations. 

While  it  coiild  be  argued  that  some  of  these  functions  are  included  within  other 
categories  that  are  itemized,  it  is  certainly  not  clear  that  these  functions  would  fall 
witMn  the  exemption.  In  order  to  ensure  that  every  insurance  department  can  fulfill 
its  obhgations  to  the  citizens  in  its  state,  we  request  that  HHS  add  these  additional 
oversight  activities  to  the  list  of  specific  examples.  We  also  request  that  HHS  clarify 
that  the  catch-all  exemption  to  the  authorization  requirement  for  activities  nec- 
essary for  the  appropriate  oversight  of  the  health  care  system  is  intended  to  include 
all  legally  authorized  activities  performed  by  insurance  departments. 

2.  Health  Oversight  Activities  by  Two  or  More  Agencies. 

On  a  related  note,  the  preamble  states  that  in  cases  where  health  oversight  agen- 
cies are  working  in  tandem  with  other  agencies  overseeing  public  benefit  programs 
to  address  compHance,  fi'aud  or  other  integrity  issues  that  could  span  across  pro- 
grams, the  oversight  activities  of  the  team  would  be  considered  health  oversight  and 
disclosure  to  and  among  team  members  would  be  permitted  under  the  proposed  rule 
to  the  extent  permitted  under  other  law.  (64  Fed.  Reg.  59958).  We  appreciate  that 
state  agencies  will  be  able  to  work  together  and  share  protected  health  information 
among  agencies  in  order  to  conduct  oversight  activities  and  share  information,  with- 
out being  considered  as  business  partners  or  needing  a  contract  to  share  information 
among  state  agencies. 

However,  we  would  Uke  to  see  this  abihty  to  share  information  with  other  agen- 
cies for  oversight  purposes  expanded  from  just  overseeing  pubUc  benefit  programs 
(i.e.  Medicaid)  to  overseeing  health  programs  and  activities  as  a  whole.  For  example, 
an  insurance  department  may  not  be  the  sole  agency  in  a  state  that  regulates 
health  insurers  and  plans.  In  some  states,  the  Department  of  Health,  the  Depart- 
ment of  Corporations  or  the  Department  of  Managed  Care  is  responsible  for  regulat- 
ing managed  care  entities.  This  results  in  an  overlap  in  jurisdiction  or  in  delegation 


6  "Health  oversight  agency"  is  defined  as  an  agency,  person  or  entity,  including  the  employees 
or  agents,  that  is  a  public  agency  (or  acting  under  a  grant  of  authority  from  or  contract  with 
a  public  agency)  and  which  performs  or  oversees  the  performance  of  any  audit;  investigation; 
inspection;  licensure  or  discipline;  civil  or  criminal  or  administrative  proceeding  or  action;  or 
other  activity  necessary  for  appropriate  oversight  the  health  care  system.  (HHS  §  164.504). 
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of  responsibilities  among  agencies  for  regulating  the  health  insurance  entities.  Shar- 
ing of  information  among  agencies  for  these  oversight  activities  is  just  as  important 
as  oversight  of  pubUc  benefit  programs.  Consequently,  we  would  Uke  to  see  the  reg- 
ulation recognize  the  need  for  information-sharing  among  agencies  for  the  oversight 
of  health  programs  and  activities  as  a  whole. 

3.  Law  Enforcement  and  Judicial  and  Administrative  Proceedings  (HHS  § 
164.510(f),  (d)) 

In  addition  to  falling  into  the  health  oversight  exception,  it  could  be  argued  that 
certain  state  insurance  department  activities  fall  under  the  law  enforcement  and  ju- 
dicial and  administrative  proceeding  exceptions.  The  definition  of  "law  enforcement 
official"  is  very  broad  and  includes  an  officer  of  an  agency  or  authority  of  a  state 
who  is  empowered  by  law  to  conduct:  1)  an  investigation  into  a  violation  of,  or  fail- 
ure to  comply  with  any  law;  or  2)  a  criminal,  civil  or  administrative  proceeding  aris- 
ing fi-om  a  violation  of,  or  failure  to  comply  with,  any  law.  (HHS  §  164.510(f)(l)(ii); 
64  Fed.  Reg.  59937).  Because  of  their  job  responsibilities,  state  insurance  commis- 
sioners woidd  fall  into  this  definition.  As  drafted,  state  insurance  department  efforts 
to  combat  health  care  fraud  coxild  be  considered  law  enforcement  activity. 

Judicial  and  administrative  proceedings  are  not  defined  in  the  proposed  regula- 
tion but  are  considered  an  exception  to  the  authorization  requirement.  Under  this 
exception,  persons  are  permitted  to  disclose  information  in  the  course  of  any  judicial 
or  administrative  proceeding,  but  only  in  response  to  an  order  of  a  court  or  adminis- 
trative tribimal,  or  where  the  individual  is  a  party  to  the  proceeding  and  his  or  her 
medical  condition  or  history  is  at  issue  and  the  disclosure  is  pursuant  to  lawful  proc- 
ess or  otherwise  authorized  by  law.  (HHS  §  164.510(d)(1)).  State  insurance  depart- 
ments conduct  administrative  proceedings  and  are  often  involved  in  judicial  and  ad- 
ministrative proceedings. 

Potentially,  one  single  activity  could  be  construed  as  falling  into  all  three  excep- 
tions. An  example  could  be  a  joint  investigation  by  an  insurance  department's  inves- 
tigation team,  which  is  investigating  a  hcensee  for  purposes  of  determine  if  adminis- 
trative action  should  be  taken  against  the  hcensee,  and  the  department's  fi^aud  unit, 
which  may  prosecute  the  individual  for  insurance  fraud.  This  issue  raises  procedural 
questions,  especially  if  one  exception  requires  a  court  order  (judicial  and  administra- 
tive proceedings),  one  does  not  (health  care  oversight),  and  another  exception  may 
require  a  court  order  in  certain  situations  (law  enforcement,  although  not  for  health 
care  fraud).  The  preamble  states  that  agencies  that  conduct  both  oversight  and  law 
enforcement  activities  would  be  subject  to  the  provision  on  use  and  disclosure  for 
health  oversight  activities  when  conducting  oversight  activities  (64  Fed.  Reg.  59958). 
However,  what  standards  apply  when  conducting  other  activities.  It  is  difficult  to 
have  several  different  applicable  rules  based  on  the  activities  the  states  are  per- 
forming. This  is  especially  true  if  states  are  conducting  activities  that  fall  into  more 
than  one  category  of  exception  and  the  activities  are  not  so  easily  divided  into  parts 
that  need  authorization  and  those  that  do  not. 

The  regulation  should  state  that  either  insurance  departments  decide  which  ex- 
ception applies,  or  that  all  insurance  department  activities  are  health  oversight  ac- 
tivities. Otherwise,  state  insurance  departments  may  face  endless  litigation  over 
their  classifications.  We  ask  HHS  to  include  language  in  the  text  of  the  proposed 
regulation  stating  that  if  a  state  insurance  activity  falls  within  several  different  ex- 
ceptions, the  state  chooses  which  exception  shall  apply.  The  presumption  should  be 
that  the  state  has  the  best  knowledge  of  its  laws  and  activities  and  has  correctly 
classffied  them  in  the  appropriate  category  of  exceptions.  HHS  even  recognized  in 
the  preamble  that  states  are  the  most  knowledgeable  about  their  own  laws  (64  Fed. 
Reg.  59998).  We  think  this  simple  clarification  statement  will  avert  much  litigation 
and  prevent  a  state  insurance  department  from  having  to  defend  endless  challenges 
to  its  classification  of  the  exception  that  applies. 

B.  Permitted  Disclosures  Versus  Required  Disclosures  to  State  Insurance  Depart- 
ments 

We  are  concerned  that  under  the  proposed  regulation  covered  entities  are  "per- 
mitted" but  not  "required"  to  disclose  necessary  protected  health  information  to 
health  oversight  and  law  enforcement  agencies  (HHS  §  164.510(c),  (f);  64  Fed.  Reg. 
59955).  Under  the  proposed  regulation,  disclosure  is  required  in  only  two  in- 
stances— to  permit  an  individual  to  inspect  or  copy  their  information,  or  when  re- 
quired by  the  Secretary.  (HHS  §  164.506) 

We  believe  that  covered  entities  under  investigation  by  a  state  agency  should  be 
required  to  provide  that  state  agency  with  access  to  necessary  health  information 
when  performing  its  legally  mandated  duties.  This  disclosure  should  not  be  optional. 
By  not  requiring  insurers  to  provide  state  insurance  departments  with  access  to 
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records,  filings  and  other  documents  that  may  contain  individually  identifiable  infor- 
mation, state  insurance  departments'  ability  and  authority  to  perform  their  regu- 
latory responsibihties  is  imdermined.  In  addition,  obtaining  authorization  from  all 
of  an  insurer's  clients  for  investigation  of  an  insurer's  business  practices  is  not  fea- 
sible or  practical. 

The  NAIC  requests  that  disclosure  be  required  under  the  proposed  regulation  in 
additional  instances,  including  disclosure  to  health  oversight  agencies  for  health 
oversight  activities  consistent  with  state  law.  The  NAIC  Model  Act  lists  cir- 
cumstances where  an  insurer  is  required  to  disclose  protected  health  information 
without  an  authorization.  Three  of  these  situations  are:  (1)  disclosure  to  federal, 
state  or  local  authorities  to  the  extent  the  carrier  is  required  by  law  to  report  pro- 
tected health  information  or  for  fraud  reporting  purposes;  (2)  disclosure  to  a  state 
insurance  department  performing  an  examination,  investigation,  audit;  or  (3)  pursu- 
ant to  a  court  order.  (NAIC  Model  Act  §  11).  By  not  requiring  insurers  to  disclose 
needed  records  that  may  contain  individually  identifiable  health  information,  state 
insurance  departments  will  be  forced  to  obtain  court  orders  for  every  request  of  in- 
formation needed  for  a  legitimate  and  lawful  purpose. 

However,  even  court  orders  will  not  remedy  the  problem,  since  under  the  proposed 
regulation's  judicial  and  administrative  proceeding  exception,  covered  entities  are 
permitted  to  disclose  protected  health  information  in  a  judicial  or  administrative 
proceeding  if  the  request  for  such  protected  health  information  is  made  through  or 
pursuant  to  an  order  by  the  court  or  administrative  tribimal.  (HHS  §  164.510(d)). 
This  use  of  "permitted"  in  the  proposed  regulation  instead  of  "required"  will  severely 
hamper  state  insurance  departments  from  doing  their  jobs. 

The  preamble  states  that  protected  health  information  is  often  needed  as  part  of 
an  administrative  or  judicial  proceeding,  and  it  even  lists  examples.  The  preamble 
states  that  these  "uses  of  health  information  are  clearly  necessary  to  allow  the 
smooth  fonctioiiing  of  the  legal  system."  (64  Fed.  Reg.  59958-59959).  If  the  uses  are 
necessary,  it  logically  follows  that  the  language  in  the  text  of  the  proposed  regula- 
tion should  use  the  word  "required"  instead  of  "permitted." 

IV.  Comments  on  Accounting  for  Disclosures  Requirement  (HHS  §  164.515) 

Both  the  proposed  regulation  and  the  NAIC  Model  Act  grant  individuals  the  right 
to  an  accounting  of  the  disclosures  of  their  protected  health  information  from  cov- 
ered entities  (HHS  §  164.515;  NAIC  §9),  and  both  estabHsh  exceptions  to  this  right. 
The  proposed  regulation  establishes  an  exception  so  that  accounting  for  disclosure 
to  an  oversight  agency  or  law  enforcement  agency  is  not  required  to  be  given  to  an 
individual  if  the  agency  provides  a  written  request  stating  that  the  exclusion  is  nec- 
essary for  a  specified  period  of  time.  (HHS  §  164.515(a)(2)).  The  NAIC  Model  Act's 
exception  states  that  the  carrier  is  not  required  to  include  in  the  accounting  any 
disclosures  of  protected  health  information  that  were  compiled  in  preparation  for 
Htigation,  law  enforcement  or  fraud  investigation.  There  is  no  date-specific  deadline 
on  this  exception. 

Both  the  proposed  regulation  and  the  NAIC  Model  Act  create  exceptions  to  the 
accounting  requirement  for  oversight  agencies  and  law  enforcement  agencies  con- 
ducting investigations.  The  problem  with  the  proposed  regulation  is  that  it  is  nearly 
impossible  to  accurately  project  the  length  of  an  investigation,  especially  during  its 
early  stages.  Rather  than  designating  a  specific  date  or  a  specific  amount  of  time 
for  no  accounting  of  disclosures  to  oversight  or  law  enforcement  agencies,  the  NAIC 
suggests  a  deadline  based  on  the  end  of  an  event,  such  as  conclusion  of  an  investiga- 
tion. This  ensures  that  an  individual  wiU  receive  a  full  accounting  of  disclosures  at 
a  certain  point  but  also  allows  an  oversight  or  law  enforcement  agency  to  complete 
its  investigation  without  having  to  set  some  arbitrary  date  of  disclosure. 

V.  Comments  on  Banking  Activities  and  Financial  Services  Modernization  (HHS 
§  164.510(1))  ("Banking  and  Payment  Processes") 

HHS  attempts  to  address  banks  and  banking  activities  within  the  scope  of  the 
proposed  regulation.  We  beHeve  this  is  a  very  important  issue  in  hght  of  the  passage 
of  financial  services  modernization  legislation,  The  Gramm-Leach-Bliley  Act,  PubHc 
Law  106-102  (the  "GLB  Act"),  and  with  the  changes  in  the  entities  that  are  consid- 
ered "payers."  However,  we  have  some  concerns  about  how  banks  and  their  activi- 
ties are  handled  under  the  proposed  regulation. 

A.  Payment  Activities  Versus  Non-Payment  Activities 

The  first  issue  concerns  the  exception  for  banking  and  payment  processes  (HHS 
§  164.510(1)).  This  exception  is  confusing  because  HHS  attempts  to  address  two  sep- 
arate issues  within  the  context  of  this  one  exception — payment  activities  and  non- 
pa3mient  banking  activities.  We  beUeve  these  two  issues  shoiild  be  handled  sepa- 
rately. 
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Under  the  statute  (§  1179  of  the  Social  Security  Act/§262  of  HIPAA),  banks  can 
use  or  disclose  protected  health  information  for  certain  listed  purposes  (all  involving 
payment),  and  HHS  repeats  these  approved  activities  in  the  regulation.^  billing, 
transferring,  reconciling  or  collecting  payments"  for  health  care  or  health  plan  pre- 
miums. 

Under  §  164.510(i),  "disclosure  for  banking  and  pajnnent  processes,"  covered  enti- 
ties are  allowed  to  disclose  protected  health  information  to  financial  institutions 
without  an  individual's  authorization  for  processing  payment  for  health  care  and 
health  care  premiums,  including  the  processing  of  checks  or  credit  card  transactions 
as  payment  for  health  care  services.^  However,  covered  entities  would  not  be  al- 
lowed imder  the  proposed  regulation  to  include  any  diagnostic  or  treatment  informa- 
tion in  the  data  transmitted  to  financial  institutions.  (64  Fed.  Reg.  59966). 

We  agree  with  HHS'  assessment  of  a  bank's  role  in  payment  activities.  We  too 
recognize  that  a  certain  amount  of  information  is  needed  to  process  pajrments,  but 
we  agree  that  a  bank  would  not  need  diagnostic  or  treatment  information  in  order 
to  process  a  payment  and  that  in  most  cases,  if  not  all,  only  the  specified  informa- 
tion would  be  necessary  for  a  bank  to  conduct  payment  activities.^  (64  Fed.  Reg. 
59966). 

HHS  also  raises  the  issue  of  non-payment  banking  activities  in  the  preamble  of 
this  exception  (not  in  the  text  of  the  proposed  regulation).  HHS  theorizes  about  ac- 
tivities banks  may  be  providing  now  and  in  the  fiiture  for  plans  and  providers,  and 
HHS  recognizes  that  banks,  in  addition  to  offering  traditional  banking  services,  may 
be  interested  in  offering  additional  services  to  covered  entities  such  as  tracking  serv- 
ices, and  diagnostic  and  treatment  information,  claims  management  and  billing  sup- 
port. (64  Fed.  Reg.  59966).  With  the  passage  of  the  GLB  Act,  this  is  a  very  real  sce- 
nario. 

Currently,  banks  are  not  considered  covered  entities  under  this  proposed  regula- 
tion. HHS  tries  to  address  its  lack  of  jurisdiction  over  banks  by  classifying  banks 
as  'TDusiness  partners"  of  covered  entities  when  receiving  protected  health  informa- 
tion for  non-payment  activities.  1°  (64  Fed.  Reg.  59966).  For  example,  if  a  bank  offers 
an  integrated  package  of  traditional  banking  services  and  health  claims  and  billing 
services,  it  could  do  so  through  a  business  partner  arrangement  that  meets  the  pro- 
posed requirements.  (64  Fed.  Reg.  59966-59967). 

We  agree  with  HHS'  assessment  that  nothing  in  the  regulation  would  prohibit 
banks  from  becoming  business  partners  of  covered  entities  under  the  conditions  es- 
tablished in  the  proposed  regulation  (HHS  §  164.506(e)),  and  that  any  services  of- 
fered by  a  bank  that  are  not  on  the  list  of  exempt  services  in  the  statute  (Social 
Security  Act  §  1179)  should  be  subject  to  the  business  partner  rule.  We  also  agree 
that  disclosing  protected  health  information  to  a  financial  institution  for  non-pay- 
ment activities  without  authorization  or  without  a  business  partner  contract  would 
violate  the  provisions  of  the  proposed  regulation.  (64  Fed.  Reg.  59966). 

As  demonstrated  by  our  comments,  our  concerns  do  not  involve  how  HHS  has  ad- 
dressed pajnnent  activities  or  non-payment  activities  of  banks,  but  rather  that  HHS 
has  addressed  these  two  issues  together  as  if  there  were  no  differences  in  the  need 
for  protected  health  information  in  these  two  sets  of  activities.  We  think  that  bank 
activities  that  do  not  involve  processing  payments  should  be  handled  separately 
from  payment  activities.  The  exception  (HHS  §  164.510(1))  should  be  narrowed  to 
be  just  "payment  processes"  and  should  not  be  "payment  and  banking  processes"  or 


These  activities  are  "authorizing,  processing,  clearing,  settling,  billing,  transferring,  reconcil- 
ing or  collecting  payments"  for  health  care  or  health  plan  premiums. 

8  We  question  the  need  for  the  exception  for  disclosure  for  banking  and  payment  processes. 
Under  the  general  rule,  authorization  is  not  required  for  payment  purposes.  Presumably  a  cov- 
ered entity  would  not  need  an  authorization  to  disclose  protected  health  information  to  a  bank 
for  payment  purposes.  However,  one  of  the  additional  listed  exceptions  is  for  disclosure  for  bank- 
ing and  payment  processes.  This  exception  appears  to  be  duplicative  of  the  general  rule,  which 
raises  the  question  of  why  this  is  an  exception.  It  appears  HHS  wants  to  limit  the  amount  of 
information  that  a  bank  can  receive  to  process  a  payment,  specifically  a  check  or  a  credit  card 
transaction.  This  is  less  of  an  exception  to  the  general  rule  and  more  of  a  clarification  of  the 
rule,  since  the  rule  already  excepts  payment  activities. 

9  Limited  list  would  include  only:  (1)  the  name  and  address  of  the  account  holder;  (2)  the  name 
and  address  of  the  payer  or  provider;  (3)  the  amount  of  the  charge  for  health  services;  (4)  the 
date  on  which  health  services  were  rendered;  (5)  the  expiration  date  for  the  payment  mecha- 
nism, if  applicable  (i.e.,  credit  card  expiration  date);  and  (6)  the  individual's  signature. 

10  A  covered  entity  may  disclose  protected  health  information  to  persons  it  hires  to  perform 
functions  on  its  behalf  ("business  partners"),  where  such  information  is  needed  for  that  ftmction. 
However,  a  covered  entity  and  its  business  partners  would  be  required  to  enter  into  a  contract 
that  establish  the  permitted  and  required  uses  and  disclosures  of  such  information  by  the  part- 
ners. 
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any  other  activities  outside  the  scope  of  payment.  All  other  non-payment  activities 
should  be  governed  by  the  business  partners  rule. 

In  addition,  there  are  discrepancies  between  the  preamble  and  the  actual  text  of 
the  regulation  setting  forth  this  exception  (HHS  §  164.510(i)).  Notwithstanding  the 
discussion  on  banks  as  business  partners,  the  intent  of  the  preamble  seems  fairly 
focused  and  is  narrower  in  scope  than  the  actual  text.  The  text  of  the  regulation 
as  it  is  currently  written  is  overly  broad  and  could  lead  to  unintended  consequences. 
The  preamble  addresses  payment  processes,  but  the  text  of  the  regulation  addresses 
"routine  banking  acti\dties  or  payment."  (64  Fed.  Reg.  59966;  §  164.510(1).  "Routine 
banking  activities"  is  very  broad  and  could  include  approving  loans  and  offering 
mortgages — activities  that  do  not  necessitate  disclosure  of  protected  health  informa- 
tion for  payment,  but  would  be  allowed  under  the  text  of  the  regulation.  Banks 
should  not  have  access  to  indi\dduals'  protected  health  information  in  deciding 
whether  to  offer  a  loan  or  mortgage.  We  suggest  that  the  text  of  the  regulation  be 
re-drafted  to  reflect  the  narrower  scope  and  intent  of  the  preamble. 

In  short,  if  covered  entities  disclose  protected  health  information  to  banks  strictly 
for  payment  processing,  we  agree  that  no  authorization  is  needed,  but  the  informa- 
tion banks  receive  should  be  minimal.  If  protected  health  information  is  used  for 
any  other  reason,  authorization  from  the  individual  would  be  required  or  a  business 
contract  with  a  covered  entity  would  be  required. 

B.  Banks  as  "Covered  Entities" 

Currently  banks  are  not  included  under  the  definition  of  "covered  entities"  in  the 
HHS  proposed  regulation;  however,  w^th  the  enactment  of  the  GLB  Act,  banks  are 
able  to  form  holding  companies  that  will  include  insurance  companies  (covered  enti- 
ties) and  their  activities. As  a  result,  banks  may  soon  have  access  to  protected 
health  information  once  the  GLB  Act  is  implemented  and  banks  start  buying  insur- 
ance companies.  When  (not  if)  this  happens,  we  beheve  banks  should  be  classified 
as  covered  entities  under  the  proposed  regulation.  Banks  should  be  held  to  the  re- 
quirements of  the  HHS  proposed  regulation  and  should  be  required  to  obtain  au- 
thorization from  an  individual  to  conduct  non-pa3anent  activities.  As  hsted  in  the 
preamble,  these  activities  requiring  authorization  would  include:  use  for  marketing 
of  health  and  non-health  items  and  services;  and  use  and  disclosure  to  non-health 
related  divisions  of  the  covered  entity  (e.g.,  for  use  in  marketing  Hfe  or  casualty  in- 
surance or  banking  services).  (64  Fed.  Reg.  59941-59942).  HHS  should  clarify  that 
if  financial  institutions  act  as  payers,  they  should  be  governed  by  the  HHS  privacy 
regulation  as  covered  entities. 

VI.  Conclusion 

In  summary,  we  support  HHS'  efforts  to  implement  privacy  regulations  that  leave 
intact  as  many  state  laws  as  possible.  However,  we  do  have  serious  concerns  about 
the  scope,  the  appUcable  entities  effected  by  the  proposed  regulation,  the  preemption 
of  state  law,  the  determination  process  for  preemption  exceptions,  and  how  state  in- 
surance departments  and  the  broad  scope  of  activities  for  which  they  are  responsible 
are  classified.  We  beHeve  that  the  regulation  in  its  current  form  has  the  potential 
to  significantly  impair  the  states'  abihty  to  regulate  the  health  insurance  industry. 
We  do  believe  that  the  proposed  regulation  may  be  workable  if  HHS  implements  our 
suggested  changes. 

The  NAIC  appreciates  the  opportunity  to  offer  these  comments  regarding  the  pro- 
posed regulation.  The  NAIC  intends  to  continue  working  closely  with  HHS  on  these 
and  other  issues.  If  HHS  has  any  questions  with  respect  to  these  comments  or  any 


11  We  are  concerned  about  the  relationship  between  the  GLB  Act  and  its  proposed  privacy  reg- 
ulations and  HHS"  proposed  health  information  privacy  regulation.  Under  the  GLB  Act,  a  bank 
holding  company  has  affiliates  that  may  be  insurance  companies,  securities  firms,  or  thrifts. 
These  affiliates  are  allowed  to  exchange  "personally  identifiable  financial  information  with  each 
other  and  with  the  bank  holding  company  without  authorization  from  the  indi\idual.  The  only 
restrictions  on  sharing  this  information  under  the  GLB  Act  is  vrilh  non-affiliated  third  parties. 
Under  the  HHS  proposed  regulation,  an  insurance  company  could  not  share  protected  health 
information  with  an  affiliate  without  a  business  partner  contract.  Clearly,  the  GLB  Act  is  less 
restrictive  in  the  use  and  disclosure  of  protected  health  ioformation  and  is  less  protective  of  in- 
dividuals' rights  than  the  HHS  proposed  regulation. 

Consideration  needs  to  be  given  to  the  interaction  between  the  HHS  proposed  privacy  regula- 
tion, the  financial  services  modernization  legislation  and  proposed  regulations,  and  state  laws, 
in  addition  to  the  impact  on  state  laws,  we  are  concerned  about  the  interaction  and  potential 
conflict  between  the  two  federal  laws  and  their  regulations.  In  general,  the  relationship  between 
the  preemption  standards  of  HIPAA  and  the  GLB  Act,  as  they  relate  to  financial  institutions, 
is  not  clear  and  is  still  being  analvzed  and  interpreted  by  many  interested  parties  including  the 
NAIC.  We  ask  that  HHS  work  v,ith  the  federal  agencies  (Federal  Reser\'e,  Treasur>-.  Office 
Thrift  Supervision,  etc.)  that  are  involved  in  promulgating  regulations  to  implement  the  GLB 
Act  to  discuss  the  potential  conflicts  between  the  competing  privacy  regulations. 
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other  element  of  the  proposed  regulation,  it  should  feel  free  to  contact  myself  or 
Mary  Beth  Senkewicz  at  (202)  624-7790. 
Sincerely, 

Kathleen  Sebelius 

Vice  President, 
Chair,  Health  Insurance  Task  Force 
Commissioner  of  Insurance,  Kansas 

Attachments 

National  Association  of  Insurance  Commissioners 

Federal  and  International  Relations  Office 

Hall  of  the  States 

444  N.  Capitol  Street,  N.W. 

Suite  701 

Washington,  D.C.  20001 
(202)  624-7790 


National  Breast  Cancer  Coalition 
Washington,  DC  20036 

February  15,  2000 
U.S.  Department  of  Health  and  Human  Services 
Assistant  Secretary  for  Planning  and  Evaluation 
Attention:  Privacy-P,  Room  G-322A 
Hubert  Humphrey  Building 
200  Independence  Avenue,  SW 
Washington,  D.C.  20201 

'  De£ir  Assistant  Secretary  for  Planning  and  Evaluation: 

I  am  writing  to  you  on  behalf  of  the  National  Breast  Cancer  Coalition  (NBCC), 
and  the  2.6  million  women  hving  with  breast  cancer.  NBCC,  a  grassroots  advocacy 
organization  made  up  of  over  500  organizations  and  tens  of  thousands  of  individ- 
uals, has  been  working  since  1991  to  eradicate  breast  cancer  through  increased  fund- 
ing and  new  strategies  for  breast  cancer  research,  access  to  quality  health  care  for 
all  women,  and  expanded  influence  of  breast  cancer  activists  at  every  table  where 
decisions  regarding  breast  cancer  are  made. 

NBCC  strongly  believes  that  we  must  establish  a  national  policy  that  ensures  an 
individual's  right  to  privacy  with  respect  to  individually  identifiable  health  informa- 
tion. Individuals  own  their  health  information.  The  issue  here  is  imder  what  cir- 
cumstances other  people  should  be  able  to  use  an  individual's  health  information. 
As  breast  cancer  survivors,  we  believe  that  our  illness,  diagnosis,  treatment  and 
prognosis  is  very  personal  information.  We  also  know  that  the  misuse  of  our  health 
information  can  harm  us  and  our  families.  For  example,  unauthorized  or  inadvert- 
ent disclosure  of  our  health  status,  genetic  or  family  history  can  make  it  difficult 
if  not  impossible  for  some  women  and  their  daughters  to  obtain  health  insurance. 
This  danger  becomes  an  increasing  reality  as  the  number  of  entities  maintaining 
and  transmitting  individually  identifiable  health  information  and  the  use  of  inte- 
grated health  iniformation  systems  generally  continues  to  grow.  Without  any  na- 
tional privacy  standards  to  protect  consumer's  rights,  consumers  risk  misuse  of 
health  information  within  an  uneven  system  of  state  protection. 

At  the  same  time,  NBCC  believes  that  federal  standards  for  protecting  privacy 
rights  should  not  impede  the  progress  of  biomedical,  behavioral,  epidemiological  and 
health  services  research.  Research  offers  women  diagnosed  with  breast  cancer  the 
best  hope  for  finding  a  cure  and  improving  treatment,  and  someday  preventing 
breast  cancer.  NBCC  beheves  that  a  federal  standard  should  protect  the  privacy  of 
individuals  and  enhance  public  trust  in  medical  research,  and  simultaneously  pro- 
tect the  ability  of  researchers  to  conduct  vital  biomedical  research. 

The  following  comments  are  in  response  to  the  Department  of  Health  and  Himian 
Services'  (HHS)  proposed  rule  (45  CFR  Parts  160  through  164).  NBCC  commends 
HHS  for  developing  significant  regulatory  standards  that  aim  to  fill  the  gap  in  fed- 
eral health  privacy  protection.  While  the  draft  regulations  properly  address  several 
of  NBCC's  key  concerns — such  as  access  to  medical  records;  notice  of  information 
pohcies;  informed  consent;  minimum  necessary  use;  and  the  use  and  disclosure  of 
personal  health  information  with  regard  to  research — we  remain  concerned  about 
the  areas  that  HHS  did  not  have  the  authority  to  cover.  It  is  for  that  reason  that 
we  continue  to  urge  Congress  to  enact  comprehensive  federal  privacy  legislation. 
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We  appreciate  the  opportunity  to  comment  on  the  health  privacy  regulations,  and 
look  forward  to  working  with  HHS  and  Congress  to  improve  health  information  pri- 
vacy. 

The  Regulations  are  not  sufficiently  broad  in  scope. 

1.  The  Regulations  cover  a  limited  number  of  entities.  (Section  164.502) 

NBCC  recognizes  that  HIPPA  specifically  Umited  the  entities  that  HHS  could 
cover — so  that  the  regulations  could  only  apply  to  health  plans,  health  care  provid- 
ers and  health  care  clearinghouses.  These  three  categories  exclude  a  number  of  enti- 
ties that  receive  health  information,  such  as  contractors,  third  party-administrators, 
researchers,  public  health  officials,  life  insurance  insurers,  employers  and  marketing 
firms.  The  regulation's  limited  coverage  of  entities  is  a  serious  flaw.  Congress  must 
continue  to  work  towards  enacting  a  comprehensive  federal  privacy  law  that  would 
apply  to  all  of  those  who  generate,  maintain  or  receive  protected  health  information. 

2.  The  Regulations  only  cover  protected  health  information  that  is  electronically 
transmitted.  (Section  164.504) 

Another  Hmitation  of  the  draft  regulations  is  that  they  only  apply  to  "protected 
health  information"  which  is  defined  as  individually  identifiable  health  information 
that  has  been  transmitted  or  maintained  electronically  by  a  covered  entity.  This 
means  that  all  private  health  information  that  remains  in  paper  form  would  be  un- 
protected. 

Privacy  standards  must  apply  to  aU  individually  identifiable  health  information 
in  any  form  maintained  or  transmitted  by  a  covered  entity.  It  does  not  make  any 
sense  to  draw  a  distinction  based  on  form  rather  than  content.  A  covered  entity 
should  be  required  to  treat  all  information  it  maintains  or  transmits  in  the  same 
fashion.  Covered  entities  currently  maint£iin  and  transmit  health  information  in 
both  electronic  and  paper  form.  In  fact,  many  health  care  providers  maintain  solely 
paper  systems  and  a  majority  of  health  information  remains  in  paper  form.  If  the 
regulations  do  not  apply  to  this  information  in  any  form,  they  will  not  accomplish 
the  goal  of  protecting  individuals'  medical  privacy.  People  or  organizations  that  hold 
health  information  that  would  otherwise  be  protected  could  escape  compliance  with 
privacy  protections  by  maintaining  the  records  on  paper.  Additionally,  for  enforce- 
ment purposes,  it  may  prove  difficult,  if  not  impossible,  to  establish  that  specific 
health  information  at  some  point  in  its  existence  has  been  transmitted  or  main- 
tained electronically  and,  therefore,  is  subject  to  the  regulations.  The  best  way  to 
reduce  these  implementation  and  enforcement  ambiguities  is  to  make  the  privacy 
standards  applicable  to  all  individually  identifiable  health  information  transmitted 
or  maintained  by  a  covered  entity  regardless  of  its  form. 

3.  The  Regulations  should  explicitly  include  genetic  information  in  the  definition 
of  individually  identifiable  health  information.  (Section  164.504) 

NBCC  strongly  believes  that  the  definition  of  individually  identifiable  health  in- 
formation is  also  flawed.  While  "individually  identifiable  health  information"  is  de- 
fined as  information  that  "relates  to  the  past,  present  or  future  physical  or  mental 
health  or  condition  of  an  individual,"  this  definition  does  not  explicitly  include  ge- 
netic information.  NBCC  urges  the  Secretary  to  amend  the  definition  of  individually 
identifiable  health  information  so  that  genetic  information  is  afforded  the  same  pro- 
tection as  other  medical  information. 

Individuals  must  have  rights 
regarding  their  health  information. 

1.  Individuals  must  have  the  right  to  access,  amend  and  correct  protected  health 
information.  (Sections  164.514,  164.516) 

NBCC  strongly  beUeves  that  individuals  should  have  certain  rights  with,  regard 
to  their  medical  records  and  information  in  order  to  understand  how  they  are  being 
used  and  maintained.  Individuals  should  have  reasonable  access  to  their  records  to 
inspect,  copy,  supplement  or  amend  their  medical  records  so  that  they  can  make  in- 
formed health  care  decisions  and  correct  errors  where  appropriate.  The  regulations 
appropriately  provide  for  these  individual  rights.  Any  exceptions  that  would  deny 
an  individual's  access  must  be  extremely  limited  and  narrowly  construed. 
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2.  Individuals  must  have  the  right  to  restrict  uses  and  disclosures  of  their  health 
information.  (Section  164.506(c)) 

NBCC  also  believes  that  individuals  should  have  the  right  to  restrict  a  covered 
entity  from  continuing  to  use  and  disclose  protected  health  information.  Patients 
have  legitimate  concerns  that  ongoing  disclosures  could  result  in  personal  harm  or 
discrimination.  Individuals  should  be  able  to  seek  special  protection  for  certain  sen- 
sitive information  that  they  do  not  wish  to  be  disclosed.  For  example,  many  women 
may  wish  to  prevent  a  health  care  provider  from  disclosing  BRCAl  and  BRCA2  test 
results.  Accordingly,  NBCC  supports  the  general  idea  behind  the  regulations'  grant- 
ing individuals  the  right  to  request  restrictions  on  the  uses  and  disclosures  of  pro- 
tected health  information.  However,  the  regulations  must  provide  stronger  protec- 
tions by  binding  all  covered  entities  to  any  restriction  requested  by  an  individual 
(except  in  emergency  situations  or  when  it  would  harm  the  individual)  and  requir- 
ing them  to  comply  or  face  consequences. 

Individuals  must  be  given  notice  of 

information  practices.  (Sections  164.512,  164.520) 

It  is  important  that  individuals  understand  how  their  medical  records  are  to  be 
used  and  when  and  under  what  circumstances  that  information  will  be  disclosed  to 
a  third  party.  Individuals  should  be  given  easy-to-understand  written  notice  of  how 
their  health  information  will  be  used  and  by  whom.  Only  with  such  notice  can  peo- 
ple make  informed,  meaningful  choices  about  uses  and  disclosures  of  their  health 
information.  Adequate  notice  can  also  help  to  build  trust  between  patients  and 
health  care  provider  organizations  in  so  far  as  it  removes  any  element  of  surprise 
about  the  use  and  disclosure  of  health  information.  NBCC  believes  that  the  pro- 
posed regulation  properly  gives  individuals  the  right  to  adequate  notice  of  the  disclo- 
sure policies  of  covered  plans  and  providers. 

Individuals'  informed  consent  should 

be  obtained  in  most  instances. 

1.  Informed  consent  must  be  obtained  for  uses  and  disclosures  unrelated  to  health 
care.  (Section  164.508) 

NBCC  believes  that  a  covered  entity  must  obtain  an  individual's  specific  author- 
ization if  it  intends  to  use  or  disclose  protected  health  information  for  any  purpose 
other  than  treatment,  payment  or  health  care  operations.  Consumers  regularly  sign 
a  general  authorization  that  allows  providers  and  plans  to  use  their  personal  health 
information  for  treatment,  payment  or  health  care  operations.  However,  there  are 
many  other  uses  that  they  might  not  anticipate  and  would  want  to  know  about.  For 
example,  breast  cancer  patients  do  not  expect  that  information  concerning  their  in- 
dividual treatment  will  be  released  for  targeted  marketing  of  new  products  based 
on  their  health  status.  Nor  would  they  necessarily  want  non-health  related  divisions 
of  an  employer  who  provides  health  insurance  to  obtain  protected  health  informa- 
tion for  eligibility  or  enrollment  determinations,  underwriting  risk  determinations, 
or  employment  determinations.  Another  unforeseen  use  is  research  unrelated  to 
health  care,  for  which  there  is  insufficient  scientific  and  medical  evidence  regarding 
the  validity  or  utility  of  the  information.  Such  research  might  utilize  their  health 
information  to  discover  genetic  markers  that  could  later  be  used  to  discriminate 
against  women  with  a  genetic  predisposition  for  breast  cancer.  For  uses  such  as 
these  that  are  not  directly  related  to  treatment,  pajrment,  or  health  care  operations, 
NBCC  encourages  the  Secretary  to  retain  provisions  of  the  proposed  regulations 
that  require  covered  entities  to  obtain  separate  and  specific  authorization  from  indi- 
viduals. 

Requiring  individuals'  explicit  authorization  for  these  uses  would  enhance  individ- 
uals' control  over  their  protected  health  information,  if  and  only  if,  the  authoriza- 
tions are  specific  about  the  information  to  be  disclosed  and  where  the  information 
will  go.  Furthermore,  in  order  for  individuals  to  voluntarily  authorize  such  disclo- 
sures, their  authorization  must  not  be  coerced,  as  a  condition  of  payment.  NBCC 
suggests  that  the  regulations  be  revised  to  expressly  provide  that  a  covered  entity 
and  its  business  partners  may  use  or  disclose  protected  health  information  only  for 
the  purpose  specified  in  the  authorization.  This  would  help  ensure  that  the  informa- 
tion does  not  fall  into  the  hands  of  non-covered  entities  that  are  not  subject  to  the 
protections  afforded  by  the  regulations. 
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2.  Circumstances  under  which  informed  consent  is  not  required  should  he  strictly 
limited. 

Federal  privacy  standards  should  strictly  limit  the  circumstances  under  which  in- 
dividuals' identifiable  health  information  can  be  used  without  their  informed  con- 
sent. The  Secretary  has  proposed  that  covered  entities  could  use  and  disclose  pro- 
tected health  information  without  authorization  for:  il)  treatment,  payment,  and 
health  care  operations;  and  (2)  national  priority  activities. 

(a)  Informed  consent  is  not  necessary  for  uses  and  disclosures  related  to  treatment, 
payment  and  health  care  operations  if  the  meaning  of  these  terms  is  narrowly  inter- 
preted. (Section  164.506) 

Uses  and  disclosures  related  to  treatment,  payment  and  health  care  operations  in- 
clude purposes  such  as  quality  assurance,  utilization  re^dew,  credentiahng,  and 
other  activities  that  are  part  of  ensuring  appropriate  treatment  and  payment.  While 
NBCC  generally  agrees  that  informed  consent  is  not  necessar>^  for  these  purposes, 
the  provisions  addressing  the  meaning  of  treatment,  payment,  and  health  care  oper- 
ations should  be  amended.  For  example,  the  terms  "treatment"  and  "pajTnent" 
should  be  narrowly  interpreted  as  appl}dng  to  the  individual  who  is  the  subject  of 
the  information.  In  addition,  the  definition  of  "treatment"  should  be  amended  to  en- 
sure that  disease  management  programs  are  only  conducted  v,-ith  the  authorization 
of  the  treating  physician.  The  regulation  should  also  expressly  state  that  the  term 
"health  care  operations"  includes  only  disclosures  made  to  the  covered  entity  for  a 
business  partner  of  such  entity)  on  whose  behalf  the  operation  is  being  performed. 
Furthermore,  the  regulations  should  hmit  the  definition  of  health  care  operations 
to  include  only  those  operations  that  cannot  be  carried  on  with  reasonable  effective- 
ness and  efficiency  without  protected  health  information. 

(b)  Generally,  informed  consent  is  not  necessary  for  uses  and  disclosures  related 
to  national  priority  activities.  (Section  164.510  ''b)  through  (n; 

The  regulations  also  provide  that  individually  identifiable  information  could  be 
disclosed  without  informed  consent  for  the  following  national  priority  activities: 
health  care  oversight,  pubhc  health,  emergency  purposes,  research,  judicial  and  ad- 
ministrative proceedings,  law^  enforcement,  and  to  provide  information  to  next-of- 
kin.  While  NBCC  notes  the  importance  of  these  activities,  we  urge  that  the  final 
regulation  include  certain  safeguards  to  protect  individuals  against  arbitrary  disclo- 
sures for  law  enforcement  purposes. 

Law  enforcement  should  not  have  unfettered  access  to  medical  records.  (Section 
164.510(f)) 

We  believe  that  the  federal  law  protecting  the  privacy  of  health  information 
should  be  just  as  strong,  if  not  stronger,  than  the  protections  for  cable  and  video 
records.  Medical  records  contain  personal  and  sensitive  information,  and  the  misuse 
of  peoples'  medical  information  can  lead  to  loss  of  jobs  and  benefits,  discrimination, 
embarrassment,  and  other  harms.  However,  under  the  regulations,  medical  records 
are  not  afforded  the  same  protections  with  regard  to  disclosures  for  law  enforcement 
purposes.  In  Hght  of  the  importance  of  medical  records,  we  recommend  that  law  en- 
forcement be  required  to  obtain  legal  process — such  as  a  warrant  or  court  order — 
that  is  judicially-approved  after  apphcation  of  a  Fourth  Amendment  probable  cause 
standard. 

Prp/acy  Standards  Should  not  Impedede  Medical  Research. 

1.  All  research  information  related  to  health  care  should  be  reviewed  under  privacy 
standards  before  waiver  of  individual  authorization  can  occur.  (Section  164.510(j)) 

There  has  been  much  debate  about  what  are  appropriate  safeguards  for  person- 
ally identifiable  information  v\ith  regard  to  research.  Increasingly,  health  services, 
epidemiological,  biological  and  statistical  research  utihzes  medical  or  health  records 
and  does  not  involve  any  interaction  betw-een  the  researcher  and  the  patients.  Re- 
searchers have  legitimately  raised  serious  questions  about  the  feasibihty  of  seeking 
authorizations  from  thousands  or  possibly  millions  of  individuals.  Other  research 
such  as  retrospective  or  secondary  research  also  utihzes  archival  patient  materials, 
including  medical  records  and  tissue  specimens,  and  does  not  involve  direct  inter- 
action with  individuals.  While  the  data  can  be  encrypted,  researchers  and  epi- 
demiologists need  to  link  this  data  back  to  individuals  in  order  to  generate  meaning- 
ful conclusions  regarding  the  benefits  and  adverse  outcomes  of  particular  treat- 
ments, as  well  as  medical  effectiveness.  The  question  for  breast  cancer  advocates  is 
imder  what  situations  would  it  be  appropriate  to  allovy  the  disclosure  of  health  in- 
formation for  research  purposes  without  patient  authorization. 
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Currently,  under  the  Common  Rule,  research  organizations  conducting  federally 
funded  or  regulated  research  projects  must  establish  and  operate  institutional  re- 
view boards  (IRBs),  which  are  responsible  for  reviewing  research  protocols  and  for 
implementing  federal  requirements  designed  to  protect  the  rights  and  safety  of 
human  subjects.  No  human-subjects  research  may  be  initiated,  and  no  ongoing  re- 
search may  continue,  in  the  absence  of  IRB  approval.  Integral  to  conducting  re- 
search under  the  Common  Rule  is  a  requirement  that  there  is  proper  informed  con- 
sent and  documentation  of  that  consent.  There  are,  however,  circumstances  when 
the  IRB  can  waive  informed  consent  (the  Common  Rule).  These  circumstances  are 
when  the  IRB  finds  and  documents  that  the  research:  (1)  involves  no  more  than 
minimal  risk  to  subject;  (2)  won't  adversely  affect  the  rights  and  welfare  of  subjects; 
(3)  research  can't  be  carried  out  without  the  waiver;  and  (4)  whenever  appropriate, 
subjects  will  be  given  more  information  after  participation.  Much  of  the  research  re- 
lying on  medical  records  would  meet  this  test.  In  fact,  research  that  relies  solely 
on  medical  records  databases  or  pathology  specimens  may  be  reviewed  in  an  expe- 
dited fashion  by  the  IRB. 

While  the  IRBs  are  not  without  problems  and  the  informed  consent  process  is  far 
from  perfect,  NBCC  believes  this  is  an  appropriate  paradigm  to  build  upon.  IRBs 
have  also  been  given  the  responsibility  to  ensure  there  are  adequate  provisions  to 
protect  the  privacy  of  subjects  and  to  maintain  the  confidentiality  of  data  and  en- 
sure protections  for  individuals  involved  in  research.  We  beUeve  that  it  would  be 
appropriate  to  disclose  protected  health  information  for  health  research  without  ob- 
t£iining  authorization  if  the  Secretary  requires  that  ail  health  research  be  reviewed 
by  an  IRB  or  an  IRB-like  entity  ("internal  privacy  board").  In  addition,  we  would 
like  to  see  that  all  internal  privacy  boards  meet  current  requirements  for  an  IRB 
with  respect  to  information  protection,  use,  and  disclosure,  and  are  determined  to 
be  qualified  to  assess  and  protect  the  confidentiality  of  protected  health  information. 
Also,  the  regulations  should  provide  that  there  be  equal  oversight  and  accountability 
for  both  IRBs  and  privacy  boards. 

Only  under  these  circumstances  would  it  be  appropriate  to  waive  authorization. 
NBCC  acknowledges  that  internal  privacy  boards  have  drawbacks  -but  they  appear 
to  be  an  acceptable  alternative  to  an  IRB. 

Generally,  we  support  the  intention  with  regard  to  research  in  the  draft  regula- 
tion. The  regulation  reflects  NBCC's  position  that  there  shoiild  be  uniform  rules  for 
researchers  regardless  of  the  source  of  funding.  We  also  support  the  four  proposed 
additional  waiver  criteria  that  IRBs  and  privacy  boards  must  consider:  (1)  the  re- 
search would  be  impracticable  to  conduct  without  the  individually  identifiable 
health  information;  (2)  the  research  project  is  of  sufficient  importance  to  outweigh 
the  intrusion  into  the  privacy  of  the  individual  whose  information  would  be  dis- 
closed; (3)  there  is  an  adequate  plan  to  protect  the  identifiers  from  improper  use 
and  disclosure;  and  (4)  there  is  an  adequate  plan  to  destroy  the  identifies  at  the 
earliest  opportunity  consistent  with  the  conduct  if  the  research,  unless  there  is  a 
health  or  research  justification  for  retaining  identifiers.  These  additional  criteria 
emphasize  the  need  for  protecting  privacy. 

While  NBCC  believes  that  the  Secretary's  proposed  rules  attempt  to  create  a  bal- 
ance between  privacy  and  research,  there  are  certain  limitations  with  regard  to  re- 
searchers. Mainly,  the  draft  regulation  only  addresses  the  use  and  disclosure  of 
"protected  health  information"  by  covered  entities.  Researchers  who  generate  their 
own  health  information  fall  outside  the  scope  of  the  regulations  if  they  are  not  based 
within  a  covered  entity,  and  do  not  provide  health  care.  We  understand  that  this 
reflects  the  legal  constraint  imposed  on  HHS  by  the  HIPAA.  Since  a  great  deal  of 
research  will  continue  to  fall  outside  the  scope  of  federal  regulation,  we  believe  that 
there  is  still  an  important  role  to  be  played  by  Congress  to  fill  this  gap. 

2.  Individually  identifiable  health  information  must  be  afforded  greater  privacy 
protection  when  it  is  used  or  disclosed  for  research  that  is  unrelated  to  health  care. 
(Section  164.508  (a)  (3)  (iv)  (B)) 

NBCC  recognizes  the  importance  of  allowing  researchers  to  conduct  vital  bio- 
medical research.  The  proposed  regulations  draw  a  distinction  between  research  in- 
formation that  is  related  to  the  delivery  of  care,  such  as  information  handled  in 
therapeutic  clinical  trials,  and  that  which  is  not  related  to  treatment,  such  as  early 
gene  sequence  analysis.  Research  information  that  is  unrelated  to  health  care  is:  (1) 
received  or  created  by  a  covered  entity  in  the  course  of  conducting  research;  (2)  in- 
formation for  which  there  is  insufficient  scientific  and  medical  evidence  regarding 
the  validity  or  utility  of  the  information  such  that  it  should  not  be  used  for  the  pur- 
pose of  providing  health  care;  and  (3)  payment  is  not,  or  has  not,  been  requested 
from  a  health  plan.  The  distinction  has  been  drawn  so  that  individually  identifiable 
health  information  is  afforded  greater  privacy  protection  when  it  is  used  or  disclosed 
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for  purposes  that  are  unrelated  to  health  care.  Under  the  proposed  rule,  research 
information  unrelated  to  health  care  generally  may  only  be  used  or  disclosed  with 
authorization. 

We  believe  that  the  Secretary  has  properly  drawn  this  distinction.  However,  the 
definition  of  "research  information  unrelated  to  treatment"  should  be  revised  to  en- 
sure that  once  information  is  classified  as  such,  it  cannot  be  re-classified  as  some- 
thing else  at  a  later  date.  We  believe  that  without  qualifying  language  this  informa- 
tion would  be  vulnerable  to  disclosure  in  the  fiiture,  if  the  information  were  later 
to  become  of  scientific  validity.  The  regulation  should  be  clear  that  once  information 
is  considered  "research  information  unrelated  to  treatment"  it  remains  that  way. 
This  is  especially  important  given  that  "research  information  imrelated  to  treat- 
ment" is  afforded  a  higher  degree  of  protection  under  the  proposed  regulation.  Indi- 
viduals may  rely  on  this  higher  degree  of  confidentiaUty  when  consenting  to  the  col- 
lection of  the  information  in  the  first  instance.  This  confidentiality  should  not  be  be- 
trayed in  the  future  just  because  the  utility  of  the  information  has  changed. 

The  regulations  should  preempt  state  privacy  laws 
that  provide  less  stringent  protections  and 
should  not  preempt  strong  state  privacy  laws.  (Section  160.203) 

NBCC  supports  preemption  if  it  sets  a  floor  for  the  states  and  not  a  ceiling.  We 
should  not  force  states  that  have  established  strong  privacy  laws  to  adopt  a  lower 
standard.  The  proposed  regulations  reflect  this  position.  The  rule  will  preempt  state 
laws  that  are  in  conflict  with  the  regulatory  requirements  and  that  provide  less 
stringent  privacy  protections,  but  will  not  preempt  state  laws  that  are  more  strin- 
gent. 

Enforcement  of  Medical  Privacy  Standards  must  include 
a  private  right  of  action  for  individuals. 

Most  importantly,  we  believe  that  there  should  be  strong  criminal  and  civil  pen- 
alties for  intentionally  or  negligently  using  individually  identifiable  health  informa- 
tion. While  HIPPA  granted  the  Secretary  the  authority  to  impose  civil  monetary 
penalties  and  criminal  penalties  pursuant  to  the  proposed  regulations,  it  did  not 
provide  for  a  private  right  of  action  for  individuals.  NBCC's  position  is  that  the  key 
to  enforceability  is  a  meaningful  private  right  of  action  -individuals  must  have  the 
right  to  sue  if  their  privacy  rights  are  violated.  Only  strong  enforcement  will  give 
people  confidence  that  their  health  information  is  protected  and  ensure  that  those 
holding  health  information  take  their  responsibilities  seriously. 

Appropriate  safeguards  against  misuse  are  necessary  to  help  build  public  trust. 
Only  if  women  trust  that  their  individual  health  information  will  be  kept  private, 
will  they  be  willing  to  participate  in  research  efforts.  At  a  time  when  new  advances 
in  science  depend  heavily  on  participation  in  clinical  research,  we  cannot  let  the  op- 

Eortunity  to  build  pubhc  trust  go  by.  Knowledge  about  how  to  prevent  and  cure 
reast  cancer  will  only  come  if  real  federal  standards  for  medical  privacy  are  en- 
acted. 

We  respectfully  request  that  HHS  reexamine  and  redefine  its  current  proposal, 
and  hope  to  have  the  opportunity  to  work  with  HHS  and  Congress  on  improving 
federal  medical  privacy  standards. 
Sincerely, 

Fran  Visco 

President 


Statement  of  Judith  L.  Lichtman,  President,  National  Partnership  for 
Women  &  Families 

The  National  Partnership  for  Women  &  Families  is  a  national  advocacy  organiza- 
tion dedicated  to  improving  the  lives  of  women  and  famihes.  Improving  access  to 
high  quality  health  care  is  an  integral  part  of  our  mission.  Privacy  of  medical  infor- 
mation is  an  essential  component  of  high  quality  care.  Medical  privacy  is  especially 
important  to  women  because  they  are  the  greatest  users  of  health  care  services  and 
because  of  their  need  for  sensitive  services  like  reproductive  health  and  mental 
health  services.  Medical  privacy  is  also  especially  important  to  women  who  are  vic- 
tims of  domestic  violence  because  inappropriate  disclosures  can  threaten  their  per- 
sonal safety  and  that  of  their  children. 

Without  confidence  that  private  information  will  remain  just  that— private — 
women  are  reluctant  to  share  information  with  their  health  care  professionals— to 
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the  detriment  of  their  own  health.  Fear  that  medical  information  is  not  kept  con- 
fidential also  keeps  women  from  obtaining  health  care  services  in  the  first  place  or 
forces  them  to  go  outside  their  health  plan  and  incur  significant  out-of-pocket  ex- 
penses. 

In  recognition  of  our  leadership  on  women's  health  issues  and  keen  interest  in 
medical  privacy,  the  National  Partnership  was  asked  to  become  a  member  of  the 
steering  committee  of  the  Georgetown  University  Medical  Center,  Health  Privacy 
Project's  Consumer  Coalition.  As  an  active  member  of  the  steering  committee,  we 
helped  develop  the  coalition's  privacy  principles.  We  applied  these  principles  in  our 
analysis  of  the  proposed  rule  on  medical  privacy  issued  by  the  Department  of  Health 
and  Human  Services  on  November  3,  1999. 

Strong  and  enforceable  privacy  protections  are  needed  now  more  than  ever  thanks 
to  the  recent  changes  in  our  health  care  system.  The  rise  of  managed  care  means 
that  more  people  have  access  to  a  person's  medical  information.  The  computer  revo- 
lution makes  immediate  transfer  and  disclosure  of  such  information  possible,  but 
also  brings  with  it  the  possibility  of  strong  safeguards  against  inappropriate  use  and 
disclosure  (e.g.,  the  need  for  passwords  to  access  files). 

We  had  hoped  that  Congress  would  meet  its  own  self-imposed  deadline  of  August, 
21,  1999,  and  enact  comprehensive  privacy  legislation.  Unfortunately,  Congress 
failed  to  meet  that  deadline. 

We  applaud  the  Department  of  Health  and  Human  Services  (HHS)  for  stepping 
up  to  the  plate  and  promulgating  this  proposed  rule.  The  promulgation  of  this  pro- 
posed rule  represents  an  extremely  important  step  in  restoring  confidence  in  the  pri- 
vacy of  health  information.  There  are  many  positive  features  of  this  proposed  rule 
that  we  discuss  in  our  formal  comments  to  HHS,  as  well  as  areas  where  we  urge 
the  Department  to  revise  its  approach.  But  even  if  the  Department  adopted  all  of 
our  recommendations,  Congress  would  still  need  to  act.  For  example,  the  proposed 
rule  cannot,  and  does  not,  reach  all  of  the  people  or  entities  that  use  or  transfer 
medical  information.  Nor  does  it  provide  meaningful  enough  remedies  for  people 
whose  privacy  rights  are  violated.  These  holes  can  only  be  fixed  by  Congress,  and 
we  call  upon  Congress  to  enact  legislation  to  fill  in  these  holes. 

Some  of  the  features  of  the  proposed  rule  that  we  believe  are  especially  important 
are  the  following: 

•  that  individuals  will  have  the  right  to  see  and  copy  (and  supplement)  their  own 
health  information; 

•  that  individual  authorization  will  be  required  for  many  uses  and  disclosures  of 
protected  health  information; 

•  that  psychotherapy  notes  will  get  the  benefit  of  special  protections; 

•  that  only  the  "minimum  necessary"  to  accomplish  the  intended  purpose  of  the 
use  or  disclosure  will  be  used  or  disclosed; 

•  that  individuals  will  be  considered  "intended  third  party  beneficiaries"  of  any 
contract  between  a  covered  entity  and  its  business  partners,  thus  able  to  enforce 
their  own  privacy  rights  if  this  contract  is  breached; 

•  that  the  Department  has  attempted  to  establish  uniform  rules  for  researchers, 
regardless  of  the  source  of  the  funding  for  the  research;  and 

•  that,  in  most  instances,  the  federal  rules  will  operate  as  a  "floor,"  not  a  "ceil- 
ing," leaving  states  with  the  authority  to  provide  greater  protection  for  privacy. 

There  are  many  areas  where  we  believe  the  Department  can,  and  should,  more 
fully  protect  privacy.  One  primary  improvement  would  be  to  clarify  the  responsibil- 
ities of  employers  that  sponsor  covered  health  plans.  Since  most  women  and  families 
get  their  insurance  through  employment,  they  fear  that  employers  know  more  than 
they  should  about  their  private  medical  information  and  may  use  that  information 
inappropriately  to  make  employment  decisions.  Unless  the  Department's  rule 
reaches  employers  to  the  fullest  extent  possible,  America's  women  and  families  will 
not  believe  their  privacy  has  truly  been  protected.  In  addition,  a  few  of  our  other 
recommendations  include  the  following: 

•  requiring  individual  authorization  for  treatment,  payment,  and  health  care  op- 
erations purposes; 

•  creating  a  special  authorization  process  for  certain  disclosures  about  sensitive 
services; 

•  better  protecting  the  personal  safety  of  victims  of  domestic  violence,  including 
children  who  are  victims  of  abuse;  and 

•  improving  the  way  the  proposed  rule  handles  the  rights  of  minors. 

We  look  forward  to  working  with  the  Administration  and  Congress  to  improve  the 
quality  of  health  care  and  to  protect  the  privacy  of  medical  information. 
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Statement  of  Hon.  Ron  Paul,  a  Representative  in  Congress  from  the  State 

of  Texas 

Mr.  Chairman,  I  wish  to  thank  you  for  hax-ing  this  timely  hearing  on  the  Depart- 
ment of  Health  and  Human  Services'  medical  privacy  proposal.  I  also  appreciate  the 
opportimity  to  share  my  reasons  for  opposing  HHS'  proposal  with  the  Committee. 

While  I  have  several  serious  objections  to  certain  parts  of  HHS'  proposal,  Mr. 
Chairman,  my  main  objection  to  these  rules  is  with  the  underlying  principle  of  al- 
lowing a  federal  agency  to  establish  one  uniform  medial  privacy  rule  for  all  Ameri- 
cans. Protecting  medical  privacy  is  a  noble  goal,  however,  the  federal  government 
is  not  constitutionally  authorized  to  mandate  a  imiform  standard  of  privacy  protec- 
tions for  every  citizen  in  the  nation.  Rather,  the  question  of  who  should  have  access 
to  a  person's  medical  records  should  be  determined  by  private  contracts  between 
that  person  and  their  health  care  provider. 

Unfortunately,  government  policies  encouraging  citizens  to  rely  on  third-party 
payors  for  even  routine  heath  care  expenses  has  xmdermined  the  individual's  ability 
to  control  any  aspect  of  their  own  health  care,  including  questions  regarding  access 
to  their  medical  records.  All  too  often,  third-party  payors  use  their  control  over  the 
health  care  dollar  to  gain  access  to  even  the  most  personal  details  of  an  individual's 
health  care,  using  the  justification  that  because  they  are  pajring  for  the  treatments 
they  must  have  access  to  the  patient's  medical  records  to  protect  against  fraud  or 
other  malfeasance.  Because  most  of  the  concerns  about  medical  privacy  are  rooted 
in  the  loss  of  individual  control  over  the  health  care  dollar,  the  solution  to  the  loss 
of  medical  privacy  is  to  empower  the  individual  by  giving  them  back  control  of  their 
health  care  dollar.  The  best  way  to  do  this  is  through  means  such  as  Medical  Sav- 
ings Accounts  and  individual  tax  credits  for  health  care.  When  the  individual  has 
control  over  their  health  care  dollar,  they  can  control  all  aspects  of  their  health 
care — including  who  should  have  access  to  their  medical  records. 

Rather  than  support  efforts  to  place  the  individual  back  in  control  of  health  care, 
this  administration  and  many  in  Congress  have  pursued  an  agenda  that  would  en- 
hance the  power  of  the  federal  government  over  health  care.  HHS'  proposed  medical 
privacy  regulations  continue  in  that  sad  tradition. 

In  the  name  of  protecting  privacy,  HHS  has  reduced  the  individual's  control  over 
their  medical  records.  HHS'  proposal,  if  enacted,  would  deny,  as  a  matter  of  federal 
law,  individuals  the  ability  to  contract  with  the  providers  or  payors  to  estabhsh  limi- 
tations on  who  should  have  access  to  their  medical  records.  Instead,  every  American 
will  be  forced  to  accept  the  privacy  standard  decided  upon  by  Washington-based  bu- 
reaucrats and  politicians. 

Individual  citizens  would  not  only  have  to  accept  the  privacy  standards  dictated 
to  them  by  Washington  bureaucrats,  they  would  even  be  deprived  the  ability  to  hold 
those  who  violated  their  privacy  accountable  in  a  court  of  law.  Instead,  the  regula- 
tions give  the  Federal  Government  the  power  to  punish  those  who  violate  these  fed- 
eral standards.  Thus,  in  a  remarkable  example  of  government  paternalism,  individ- 
uals are  forced  to  rely  on  the  good  graces  of  government  bureaucrats  for  protection 
of  their  medical  privacy.  These  regiSations  also  create  yet  another  unconstitutional 
federal  crime,  at  a  time  when  voices  from  across  the  political  spectrum  are  decrying 
the  nationalization  of  law  enforcement. 

HHS  appears  to  believe  that  the  American  people  should  accept  the  privacy  pro- 
tections designed  by  the  "experts"  in  Washington.  There  is  no  other  explanation  for 
the  obstacles  placed  in  the  path  of  those  seeking  to  comment  on  this  regulation.  For 
example,  HHS  is  refusing  to  accept  faxed  comments.  Furthermore,  the  web  site  that 
HHS  has  established  to  accept  comments  is  very  difficult  to  use  and  does  not  even 
let  the  user  know  whether  or  not  HHS  has  received  his  comments!  Mr.  Chairman, 
should  we  trust  an  agency  that  shows  such  a  reluctance  to  hear  the  voice  of  the 
people  with  the  power  to  determine  medical  privacy  rules  for  all  Americans? 

These  so-called  "privacy  protection"  regulations  not  only  strip  individuals  of  any 
ability  to  determine  for  themselves  how  best  to  protect  their  medical  privacy,  they 
also  create  a  privileged  class  of  people  with  a  federally-guaranteed  right  to  see  an 
individual's  medical  records  without  the  individual's  consent.  For  example,  medical 
researchers  may  access  a  person's  private  medical  records  even  if  an  individual  does 
not  want  their  private  records  used  for  medical  research.  Although  individuals  will 
be  told  that  their  identity  will  be  protected  the  fact  is  that  no  system  is  fail-safe. 
I  am  aware  of  at  least  one  incident  where  a  man  had  his  medical  records  used  with- 
out his  consent  and  the  records  inadvertently  revealed  his  identity.  As  a  result, 
many  people  in  his  community  discovered  details  of  his  medical  history  that  he 
wished  to  keep  private! 
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Forcing  individuals  to  divulge  medical  information  without  their  consent  also  runs 
afoul  of  the  Fifth  Amendment's  prohibition  on  taking  private  property  for  public  use 
without  just  compensation.  After  all,  people  do  have  a  legitimate  property  interest 
in  their  private  information;  therefore  restrictions  on  an  individuals  ability  to  con- 
trol the  dissemination  of  their  private  information  represents  a  massive  regulatory 
taking.  The  takings  clause  is  designed  to  prevent  this  type  of  sacrifice  of  individual 
property  rights  for  the  "greater  good." 

In  a  free  society  such  as  the  one  envisioned  by  those  who  drafted  the  Constitution, 
the  federal  government  should  never  force  a  citizen  to  divulge  personal  information 
to  advance  "important  social  goals."  Rather,  it  should  be  up  to  the  individuals,  not 
the  government,  to  determine  what  social  goals  are  important  enough  to  warrant 
allowing  others  access  to  their  personal  property,  including  their  personal  informa- 
tion. To  the  extent  these  regulations  sacrifice  individual  rights  in  the  name  of  a  bu- 
reaucratically -determined  "common  good,"  they  are  incompatible  with  a  free  society 
and  a  constitutional  government. 

HHS'  "medical  privacy"  proposals  also  endangers  the  privacy  of  Americans  by  al- 
lowing law  enforcement  and  other  government  officials  access  to  a  citizen's  private 
medical  record  without  having  to  obtain  a  search  warrant.  This  is  a  blatant  viola- 
tion of  the  Fourth  Amendment  to  the  United  States  Constitution,  which  protects 
American  citizens  from  warrantless  searches  by  government  officials.  The  require- 
ment that  law  enforcement  officials  obtain  a  warrant  from  a  judge  before  searching 
private  documents  is  one  of  the  fundamental  protections  against  abuse  of  the  gov- 
ernment's power  to  seize  an  individual's  private  documents.  While  the  fourth 
amendment  has  been  interpreted  to  allow  warrantless  searches  in  emergency  situa- 
tions, it  is  hard  to  conceive  of  a  situation  where  law  enforcement  officials  would  be 
unable  to  obtain  a  warrant  before  electronic  medical  records  would  be  destroyed. 

The  proposal's  requirement  that  law  enforcement  officials  submit  a  written  re- 
quest to  doctors,  hospital  and  insurance  companies  before  they  can  access  private 
medical  records  is  a  poor  substitute  for  a  judicially-issued  warrant.  Private  citizens 
are  more  likely  to  want  to  cooperate  with  law  enforcement  officials  than  are  mem- 
bers of  the  judiciary,  if  for  no  other  reason  than  because  hospital  administrators, 
insurance  company  personnel,  and  health  care  providers  will  lack  the  time  and  ex- 
pertise to  properly  determine  if  a  government  officials'  request  is  legitimate.  Fur- 
thermore, private  citizens  are  more  likely  to  succumb  to  pressure  to  "do  their  civic 
duty"  and  cooperate  with  law  enforcement — no  matter  how  unjustified  the  request — 
than  members  of  the  judiciary. 

I  also  object  to  the  fact  that  these  proposed  regulations  "permit"  health  care  pro- 
viders (many  of  whom  are  beholden  to  government  funding)  to  give  medical  records 
to  the  government  for  inclusion  in  a  federal  health  care  data  system.  Such  a  system 
would  contain  all  citizens'  personal  health  care  information.  History  shows  that 
when  the  government  collects  this  tj^e  of  personal  information  the  inevitable  result 
is  the  abuse  of  citizens'  privacy  and  liberty  by  imscrupulous  government  officials. 
The  only  fail-safe  privacy  protection  is  for  the  government  not  to  collect  and  store 
this  type  of  personal  information. 

The  collection  and  storing  of  personal  medical  information  authorized  by  these 
regulations  may  also  revive  an  effort  to  establish  a  "unique  health  identifier"  for  all 
Americans.  As  you  are  no  doubt  aware,  Mr.  Chairman,  a  moratorium  on  funds  for 
developing  such  an  identifier  was  included  in  the  HHS'  budget  for  fiscal  years  1998 
and  1999.  This  was  because  of  a  massive  public  outcry  against  having  one's  medical 
records  easily  accessible  to  anyone  who  knows  their  "unique  health  identifier."  The 
American  people  do  not  want  their  health  information  recorded  on  a  database  and 
they  do  not  wish  to  be  assigned  a  unique  health  identifier.  Congress  must  head  the 
wishes  of  the  American  people  and  repeal  the  statutory  authority  for  HHS  to  estab- 
lish a  "unique  health  identifier"  for  all  Americans. 

As  an  OB-GYN  with  more  than  30  years  experience  in  private  practice,  I  am  very 
concerned  by  the  threat  to  good  medical  practice  posed  by  these  regulations.  The 
confidential  physician-patient  relationship  is  the  basis  of  good  health  care;  often- 
times effective  treatment  depends  on  patients'  ability  to  place  absolute  trust  in  his 
or  her  doctor.  The  legal  system  has  acknowledged  the  importance  of  maintaining 
physician-patient  confidentiality  by  granting  physicians  a  privilege  not  to  divulge  in- 
formation confided  to  them  by  their  patients. 

Before  implementing  these  rules  or  passing  any  legislation  related  to  medical  pri- 
vacy, HHS  and  Congress  should  consider  what  will  happen  to  that  trust  between 
patients  and  physicians  when  patients  know  that  any  and  all  information  given 
their  doctor  may  be  placed  in  a  government  database  or  seen  by  medical  researchers 
or  handed  over  to  government  agents  without  a  warrant? 

Questions  of  who  should  or  should  not  have  access  to  one's  medical  privacy  are 
best  settled  via  contract  between  a  patients  and  a  provider.  However,  the  govern- 
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ment-insurance  company  complex  that  governs  toda/s  health  care  industry  has  de- 
prived the  individual  patients  of  control  over  their  health  care  records,  as  well  as 
over  numerous  other  aspects  of  their  health  care.  Rather  then  put  the  individual 
back  in  charge  of  his  or  her  medical  records,  the  Department  of  Health  and  Human 
Services  proposed  privacy  regulations  give  the  federal  government  the  authority  to 
decide  who  will  have  access  to  individual  medical  records.  These  regulations  thus 
reduce  individuals'  abihty  to  protect  their  own  medical  privacy. 

These  regulations  violate  the  fundamental  principles  of  a  free  society  by  placing 
the  perceived  "societal"  need  to  advance  medical  research  over  the  individuals  right 
to  privacy.  They  also  violate  the  Fourth  and  Fifth  Amendments  by  allowing  law  en- 
forcement officials  and  government  -favored  special  interests  to  seize  medical 
records  without  an  individual's  consent  or  a  warrant  and  could  facihtate  the  cre- 
ation of  a  federal  database  containing  the  health  care  data  of  every  American  citi- 
zen. These  developments  could  undermine  the  doctor-patient  relationship  and  thus 
worsen  the  health  care  of  millions  of  Americans. 

In  conclusion,  Mr.  Chairman,  I  recommend  that  Congress  embrace  meaningful 
protection  for  medical  privacy  by  empowering  individuals  to  protect  their  medical 
records  by  repeahng  the  statutory  authorization  for  the  Department  of  Health  and 
Human  Services  to  impose  a  one-size-fits  all  "privacy"standard  on  all  Americans  and 
passing  legislation  placing  patients  back  in  control  of  the  health  care  system. 


Statement  of  the  Physician  Insurers  Association  of  America,  Rockville,  MD 

Thank  you  for  the  opportunity  to  comment  on  the  proposed  regulations  to  imple- 
ment standards  governing  the  privacy  of  individually  identifiable  health  information 
as  directed  under  section  262  of  the  Health  Insurance  Portability  and  Accountabihty 
Act  of  1996  ("HIPAA"  or  the  "Act").  The  proposed  rule  appears  to  be  drafted  to  ad- 
dress considerations  involving  health  care  providers  and  other  "covered  entities" 
that  are  the  primary  repositories  of  individually  identifiable  health  information. 
However,  the  proposed  rule  would  also  impact  professional  liabihty  insurers  pri- 
marily due  to  the  contractual  restrictions  placed  on  "business  partners." 

Interest  of  the  Physician  Insurers  Association  of  America  (PIAA) 

The  PIAA  is  a  trade  association  of  more  than  55  professional  hability  insurance 
companies  owned  and/or  operated  by  doctors  and  dentists.  Collectively,  these  compa- 
nies insure  approximately  60  percent  of  America's  practicing  physicians,  as  well  as 
dentists,  hospitals,  and  other  health  care  providers.  As  such,  PIAA  member  insur- 
ance companies  routinely  receive  reports  from  providers  when  adverse  outcomes 
occur  where  no  claim  for  recompense  has  yet  been  made.  These  "event  or  incident 
reports,"  as  they  are  known,  usually  contain  individually  identifiable  health  infor- 
mation. Such  important  information  is  treated  with  the  strictest  confidentiality,  and 
is  rarely  transmitted  to  anyone  outside  of  the  insurance  company. 

While  the  PIAA  and  its  members  strongly  support  appropriate  privacy  protections 
for  individually  identifiable  health  information,  we  have  several  significant  concerns 
regarding  the  scope  of  the  proposed  rule,  its  liabihty  imphcations  and  the  significant 
costs  and  burdens  of  complying  with  the  proposed  regulations. 

Application  to  Business  Partners 

The  provisions  contained  at  section  164.506(e)  of  the  proposed  rule  governing  the 
rule's  apphcation  to  business  partners  of  covered  entities  are  the  source  of  concern 
for  the  PIAA  in  two  significant  respects. ^  First,  this  section  of  the  proposed  rule  pur- 
ports to  regulate  indirectly  business  partners  that  the  agency  has  acknowledged  it 
lacks  the  authority  to  regiilate  directly.  Second,  section  164.506(e)(2)(ii)(A)'s  require- 
ment that  these  contracts  designate  "individuals  whose  protected  health  information 


1  Section  164.504  defines  'TDusiness  partner"  as  "a  person  to  whom  the  covered  entity  discloses 
protected  health  information  so  that  the  person  can  carrv-  out,  assist  \\ith.  the  performance  of, 
or  perform  on  behalf  of,  a  function  or  acti\'ity  for  the  covered  entity."  The  proposed  rule  identi- 
fies "la^s'yers,  auditors,  consultants,  third-party  administrators,  health  care  clearinghouses,  data 
processing  firms,  billing  firms,  and  other  covered  entities"  as  examples  of  business  partners  for 
purposes  of  the  proposed  rule.  Although  not  specifically  mentioned,  the  PIAA  believes  that  pro- 
fessional Hability  insurers  would  meet  the  definition  of  "business  partner"  for  purposes  of  the 
rule,  and  assumes  that  professional  Hability  insurers  are  so  classified  for  piirposes  of  these  com- 
ments.   
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is  disclosed"  pursuant  to  the  contract  as  explicit  third  party  beneficiaries,  thereby 
creates  potential  liability  under  state  law. 

Turning  to  the  first  concern,  Congress  expressly  set  forth  those  entities  to  be  cov- 
ered by  the  regulation  in  section  1172(a)(1)  of  the  Act.  Indeed,  the  preamble  to  the 
proposed  rule  acknowledges  that  "we  do  not  have  the  authority  to  apply  these  stand- 
ards directly  to  any  entity  that  is  not  a  covered  entity... [w]e  would  attempt  to  fill 
this  gap  in  our  legislative  authority  in  part  by  requiring  covered  entities  to  apply 
many  of  the  provisions  of  the  rule  to  the  entities  with  whom  they  contract  for  ad- 
ministrative and  other  services."  ^  Using  mandated  contractual  arrangements  to  ex- 
tend the  reach  of  the  regulation  to  parties  not  contemplated  by  Congress  exceeds 
the  authority  delegated  to  the  agency  by  statute.  The  PIAA  believes  that  the  agency 
should  reconsider  this  course  and  allow  covered  entities  to  determine  for  themselves 
how  best  to  fulfill  their  responsibilities  under  the  Act  in  their  relations  with  busi- 
ness partners  and  others.  The  agency  should  not  attempt  to  usurp  Congressional  au- 
thority through  the  use  of  the  contractual  artifice  included  in  the  proposed  rule. 

For  instance,  section  164.506(e)(2)(i)(H)  of  the  proposed  rule  would  specify  that, 
"At  the  termination  of  the  contract,  the  business  partner  must  return  or  destroy  all 
protected  health  information  received  from  the  covered  entity."  ^  This  proposed  re- 
quirement fails  to  recognize  that  many  professional  liability  contracts  terminate 
every  12  months  at  which  time  a  new  contract  may  be  offered  to  a  provider.  A  deci- 
sion to  offer  the  provider  a  new  insurance  contract  would  certainly  involve  a  review 
of  past  claims  and  adverse  event  experience  beyond  the  previous  12  months.  Like- 
wise, a  claim  may  be  filed  against  that  provider  long  after  the  contract  has  termi- 
nated. In  this  case,  information  about  the  provider's  claims  history  or  the  adverse 
event  in  question  may  be  impossible  to  recreate,  yet  would  be  extremely  important 
to  a  prompt  resolution  of  the  claim.  Under  a  "claims-made"  policy,  the  notice  of  an 
event  often  triggers  the  attachment  of  insiu-ance  coverage  for  the  claim  should  it  be 
reported  in  the  futiu-e.  For  this  reason  and  others,  covered  entities  and  their  busi- 
ness partners  should  define  the  terms  and  conditions  of  their  contracts  instead  of 
having  them  dictated  in  regulations. 

Additionally,  the  PIAA  is  concerned  that  the  proposed  rule  contsiins  a  requirement 
that  covered  entities  and  their  business  partners  designate  individuals  whose  pro- 
tected heedth  information  is  disclosed  as  express  third  party  beneficiaries  by  con- 
tract. While  the  agency  proffers  no  reason  for  the  inclusion  of  this  requirement  in 
its  discussion  of  the  proposed  rule,  several  experts  in  the  area  of  health  law  have 
suggested  that  this  provision  creates  the  potential  for  private  rights  of  action  utiliz- 
ing a  third  party  beneficiary  theory  under  state  law. 

As  the  agency  has  itself  acknowledged,  HIPAA  (passed  by  the  104th  Congress) 
makes  no  provision  for  a  private  right  of  action  by  individuals  for  violations  of  the 
statute."*  This  should  be  regarded  as  an  affirmation  that  civil  and  criminal  penalties 
are  the  sole  remedy  for  the  unauthorized  release  of  a  patient's  confidential  health 
information.  Moreover,  the  question  of  whether  to  include  such  a  private  right  of 
action  has  been  bitterly  contested  in  deliberations  by  the  106th  Congress  over  legis- 
lation that  would  provide  broader  privacy  protections  of  individually  identifiable 
health  information.  Given  the  absence  of  any  congressional  establishment  of  a  fed- 
eral cause  of  action  for  the  violation  of  rights  created  under  the  statute,  the  Agency 
should  not  attempt  to  create  a  potential  private  right  of  action.  The  PIAA  is  gravely 
concerned  that  the  agency  would  see  fit  to  require  the  inclusion  of  provisions  creat- 
ing liability  under  state  law  in  these  contracts,  particularly  without  any  discussion 
of  the  potential  liability  ramifications  of  the  third  party  beneficiary  designation. 

In  addition  to  these  specific  concerns,  we  believe  that  the  application  of  this  rule 
to  business  partners  will  result  in  expenditures  of  significant  resources  for  marginal 
additional  improvements  in  privacy  protection.  This  would  occur  at  a  time  when 
health  care  expenditures  continue  to  rise  and  there  is  a  serious  interest  in  decreas- 
ing the  incidence  of  medical  errors  and  improving  patient  care.  Devoting  resources 
to  the  establishment  of  appropriate  privacy  protections  for  individually  identifiable 
health  information  must  not  be  considered  in  isolation,  but  rather  as  one  element 
in  improving  the  current  health  care  system. 

We  are  similarly  concerned  with  the  prospect  of  an  increasingly  confusing  and 
possibly  conflicting  array  of  responsibilities  for  liability  insurers  in  the  area  of  pri- 
vacy. Has  the  Agency  considered  in  detail  the  interaction  of  the  "business  partner" 
rule  with  privacy  obligations  that  may  arise  under  other  proposed  regulations  and 


2  See  64  Fed.  Reg.  p.59924,  (Nov.  3,  1999) 

3  See  64  Fed.  Reg.  p.59924,  (Nov.  3,  1999) 

4  See  64  Fed.  Reg.  p.59918,  p.59923  (Nov.  3,  1999)  ["In  HIPAA,  Congress  did  not  provide  such 
enforcement  authority.  There  is  no  private  right  of  action  for  individuals  to  enforce  their 
rights.  .  ."] 
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recently  enacted  legislation  such  as  the  Financial  Services  Modernization  Act.  We 
believe  that  minimizing  cost  and  confusion,  as  well  as  ehminating  any  potentially 
conflicting  obHgations  is  central  to  effectively  protecting  patient  privacy. 

The  PIAA  urges  the  agency  not  to  utilize  mandated  contractual  arrange- 
ments to  improperly  eiJarge  on  the  narrower  authority  granted  by  Con- 
gress, and  in  particular  to  withdraw  the  reqviirement  that  the  third  party 
beneficiary  designation  be  included  in  such  contracts. 

Customary  Business  Relationships  in  the  Health  Care  Industry 

During  our  review  of  the  proposed  rule,  PIAA  members  raised  concern  regarding 
the  potential  impact  of  the  proposed  rule  on  liabihty  insurers'  access  to  indi\idual 
health  information  related  to  the  acti\dties  of  their  insureds.  The  preamble  to  the 
rule  indicates  that  the  Agency  intends  "to  allow  customary  business  relationships 
in  the  health  care  industry  to  continue."  As  part  of  current  normal  business  prac- 
tice, professional  habihty  insurers  typically  receive  indi\'idually  identifiable  health 
information  related  to  adverse  incidents  that  may  give  rise  to  claims  against  an  in- 
sured. Indeed,  reporting  requirements  are  typically  stipulated  as  part  of  the  claims 
made  poHcy  in  an  insurance  contract.  Sharing  of  such  information  also  allows  the 
Habilitj^  insurer  t-o  conduct  underv-T-iting  re\'iew^s  to  determine  insurability.  Finally, 
such  an  open  business  relationship  promotes  consideration  of  how  health  care  sys- 
tems can  be  improved  to  prevent  recurrent  adverse  events.  Under  the  proposed  rule, 
it  is  unclear  under  what  conditions  this  transfer  of  information  could  take  place 
without  individual  authorization. 

Under  section  164.506('a)  as  proposed,  a  covered  entity  would  be  permitted  to  use 
or  disclose  protected  health  information  without  indi\T.dual  authorization  for  treat- 
ment, payment  or  health  care  operations.  "Health  care  operations"  as  defined  under 
proposed  section  164.504  includes: 

"(3  J  Insurance  rating  and  other  insurance  activities  relating  to  the  renewal  of  a 
contract  for  insurance  including  underwriting,  experience  rating  and  reinsurance, 
but  only  when  the  individuals  are  already  enrolled  in  the  health  plan  conducting 
such  activities  and  the  use  or  disclosures  of  the  protected  health  information  relates 
to  an  existing  contract  of  insurance  (including  the  renewal  of  such  contract); 

(5)  Compiling  and  analyzing  information  in  anticipation  of  or  for  use  in  a  civil  or 
criminal  legal  proceeding." 

The  PIAA  is  concerned  that  the  proposed  definition  of  "health  care  operations" 
fails  to  include  the  sharing  of  information  with  professional  Habilit>'  insurers  that 
is  both  current  business  practice  and  necessary  for  risk  management,  error  preven- 
tion, impro\Tng  patient  care,  underwriting  and  other  insurance  purposes.  The  dis- 
cussion of  insurance  under  the  proposed  definition  (above)  appears  to  be  limited  to 
insurance  pro%T.ded  by  health  plans  and  does  not  expressly  contemplate  other  types 
of  insurance,  such  as  professional  Habihty  insurance. 

The  aspect  of  the  definition  including  information  compiled  "in  anticipation  of  hti- 
gation,"  similarly  provides  Httle  comfort  as  it  fails  to  embrace  the  full  array  of  situa- 
tions in  which  individual  health  information  must  be  exchanged  between  an  insured 
and  a  professional  habihty  insurer.  This  exchange  of  information  often  occurs  long 
before  a  civil  or  criminal  action  is  indicated,  and  indeed  is  necessarj^  to  allow  the 
insurer  to  investigate  the  incident  and  determine  whether  compensation  should  be 
paid  before  any  demand  letter  is  received  or  ci\nl  action  initiated.  This  exchange  of 
information  is  additionally  necessaiy  even  when  no  claim  is  made  to  aid  in  imder- 
writing  and  risk  management/evaluation  activities. 

Moreover,  the  "in  anticipation  of  or  for  use  in  a  ci\Tl  or  criminal  proceeding" 
standard  is  quite  similar  to,  and  equally  as  vague  as,  the  "anticipation  of  htigation" 
standard  for  the  work  product  rule  under  Federal  Rule  of  Civil  Proced\ire  26ib)(3) 
which  has  spawned  reams  of  case  law  attempting  to  define  under  what  cir- 
cumstances this  standard  has  been  met. 

The  ramifications  of  failing  to  clarify'  the  definition  of  "health  care  operations"  to 
include  information  shared  with  professional  habihty  insurers  are  serious  as  it 
would  appear  that  professional  habihty  insurers  would  then  be  relegated  to  the  ex- 
ception for  protected  health  information  obtained  for  judicial  and  administrative 
proceedings.  As  proposed,  the  rule  would  impose  the  burdensome  requirement  that 
any  transfer  of  protected  health  information  could  only  occur  pursuant  to  court 
order  or  by  request  from  legal  counsel  in  htigation.  This  result  would  be  counter- 
productive for  all  concerned,  including  patients,  as  it  would  essentially  require  hti- 
gation in  order  for  the  claim  to  be  evaluated.  The  current  practice  of  sharing  infor- 
mation with  the  professional  habihty  insurer  as  soon  as  an  adverse  incident  occurs 
facihtates  compensation  without  htigation  in  many  instances  and  results  in  lower 
costs  per  claim. 
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In  light  of  the  foregoing,  the  PIAA  would  respectfully  request  that  the 
agency  modify  the  definition  of  "health  care  operations"  to  make  clear  that 
protected  health  information  could  be  shared  with  a  provider  or  other  cov- 
ered entity's  professional  liability  insurer  without  prior  authorization. 

Finally,  we  would  like  to  commend  the  Agency  for  a  well-detailed  and  thoughtful 
approach  to  creating  protections  in  a  new  and  difficult  area.  We  hope  that  our  com- 
ments will  be  addressed  in  any  further  actions  the  Agency  takes  regarding  this  mat- 
ter. 


Statement  of  Jim  Ramstad,  a  Representative  in  Congress  from  the  State  of 

Minnesota 

Mr.  Chairman,  thank  you  for  calling  this  important  hearing  to  review  the  Admin- 
istration's proposal  to  protect  the  confidentiality  of  medical  records. 

Given  the  sensitive  nature  of  personal  health  records,  I  am  very  aware  of  the  im- 
portance of  crafting  appropriate  rules  and  regulations,  as  well  as  the  complexities 
that  surround  this  task. 

I  applaud  the  efforts  of  the  Secretary  to  tackle  this  important  issue  with  a  com- 
prehensive framework  to  protect  patient  information  without  inhibiting  the  use  of 
data  to  continue  research  into  life-saving  and  life-enhancing  treatments,  drugs,  tech- 
nologies and  procedures.  Ensuring  regulations  are  balanced  and  do  not  stifle  re- 
search, while  protecting  privacy,  is  one  of  my  top  priorities. 

Given  the  vast  expanse  of  the  regulations  and  the  number  of  health  care  providers 
impacted  by  them,  this  hearing  is  important  to  closely  examine  the  rules  and  deter- 
mine if  changes  are  necessary  or  more  work  needs  to  be  done  legislatively. 

I  welcome  this  opportunity  to  learn  more  fi'om  today's  witnesses  on  this  signifi- 
cant health  care  issue,  and  I  thank  you  again,  Mr.  Chairman,  for  calling  this  impor- 
tant hearing. 


Testimony  of  the  Hon.  Louise  Mcintosh  Slaughter,  a  Representative  in 
Congress  from  the  State  of  New  York 

I  thank  you.  Chairman  Thomas  and  Representative  Stark,  for  this  opportunity  to 
testify  on  one  of  the  most  critical  issues  in  Congress:  medical  records  privacy.  I  can- 
not tell  you  how  pleased  I  am  that  Congress  is  finally  taking  up  this  matter  in  ear- 
nest. 

It  is  truly  gratifying  for  me  to  see  a  national  consensus  emerging  on  the  need  to 
protect  the  privacy  of  medical  records.  Privacy  is  one  of  the  bedrock  principles  of 
our  Constitution  and  a  pillar  of  our  democracy.  Our  Foimders  considered  privacy  so 
important  that  they  included  it  in  the  Constitution  in  several  different  forms.  The 
First  Amendment  protects  our  right  to  express  our  private  thoughts,  and  our  right 
to  associate  in  private  or  public  with  whomever  we  choose.  It  protects  the  privacy 
of  one's  home,  possessions  and  person  against  unreasonable  search  and  seizure.  It 
therefore  seems  natural  that  the  privacy  of  medical  records — which  contain  the  most 
personal  of  information  about  an  individual — should  also  be  protected. 

Unfortunately,  Americans'  medical  records  are  anything  but  private.  While  many 
people  believe  their  medical  records  are  closed  to  everyone  except  their  health  care 
provider  and  insurer,  the  truth  is  very  different.  On  February  4,  1997,  a  New  York 
Times  article  recounted  how  one  doctor  started  investigating  how  many  people  had 
access  to  his  patients'  records  after  being  confronted  with  one  patient's  fear  of  dis- 
closure. He  said,  and  I  quote,  "I  stopped  counting  at  75."  This  incident  happened 
a  decade  ago.  The  situation  is  even  more  extreme  today. 

Doctors,  nurses,  therapists,  and  secretaries  are  only  a  few  of  the  people  who  have 
access  to  an  individual's  medical  charts.  Today  our  medical  records  may  also  be 
viewed  by  consultants,  billing  clerks,  insurance  "coders,"  and  many  others.  An  em- 
ployer may  have  free  access  to  workers'  records,  especially  if  the  company  is  self- 
insured.  Medicare  sees  the  records  of  elderly  and  disabled  patients,  while  Medicaid 
workers  may  view  medical  charts  for  the  poor.  The  potential  for  genetic  discrimina- 
tion and  other  misuse  of  this  information  is  staggering. 

The  computerization  of  medical  records  has  exacerbated  this  situation.  Many  in- 
surers pool  medical  information  in  the  Medical  Information  Bureau,  which  may  dis- 
tribute it  to  any  number  of  sources.  Marketers  buy  sophisticated  lists  of  health  and 
demographic  information  to  help  them  target  their  products.  Lawyers  look  at 
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records  in  the  context  of  rape,  domestic  violence,  and  medical  injury  cases.  Equifax 
and  other  credit  reporting  services  can  also  get  access.  The  list  goes  on  and  on. 

The  computerization  of  medical  records  has  added  a  new  urgency  to  the  need  for 
regulations  to  protect  consimiers.  In  the  past,  the  practical  hmitations  of  paper 
records  made  access  more  difficult.  Computerization  of  records  means  that  large 
numbers  of  medical  records  can  be  screened,  collated,  and  distributed  in  the  blirdk 
of  an  eye.  Information  can  be  made  available  to  almost  unhmited  numbers  of  people 
via  the  Internet.  The  market  for  medical  records  information  is  booming,  and  there 
is  reputed  to  be  a  vigorous  black  market  for  it  as  weU. 

With  the  advent  of  computerized  records,  the  potential  for  mahcious  misuse  of 
this  information  is  truly  appalling.  In  a  widely  pubHcized  case,  a  Florida  pubUc 
health  official  was  fired  after  allegedly  mailing  computer  disks  with  the  names  of 
thousands  of  Florida  patients  with  HTV  and  AIDS  anonymously  to  Tampa-area 
newspapers.  This  individual  also  reputedly  took  a  Hst  of  the  patients  into  a  local 
bar  and  offered  to  help  fiiends  screen  potential  dates.  In  1996,  the  Baltimore  Sun 
reported  that  in  Maryland  there  had  been  examples  of  state  employees  accepting 
bribes  from  HMOs  for  information  on  Medicaid  recipients.  One  Delaware  banker  ob- 
tained a  Ust  of  cancer  patients,  cross-referenced  it  with  loan  customers  at  his  bank 
and  called  in  those  loans. 

There  is  a  clear  and  pressing  need  for  federal  legislation  to  protect  the  privacy 
of  our  medical  records.  In  a  1997  review  of  state  medical  privacy  and  confidentiaUty 
laws  prepared  for  the  Centers  for  Disease  Control  and  Prevention,  the  Electronic 
Privacy  and  Information  Center  (EPIC)  called  federal  privacy  laws  "fragmented  and 
uncertain."  As  long  ago  as  1994,  the  Institute  of  Medicine  endorsed  passage  of  com- 
prehensive federal  legislation  to  replace  the  patchwork  of  laws  that  cover  medical 
records.  According  to  the  EPIC  report, 

Thirty-seven  states  impose  on  physicians  the  duty  to  maintain  the  confidentiahty 
of  medical  records.  Twenty-six  extend  this  duty  to  other  health  care  providers.  Thir- 
ty-three states  and  territories  require  health  care  institutions  to  maintain  the  con- 
fidentiality of  medical  records  they  hold.  The  survey  found  that  only  four  states 
have  specific  legislation  imposing  this  duty  on  insurers,  despite  the  vast  amount  of 
information  held  by  insurance  companies.  Nine  states  impose  a  similar  duty  on  em- 
ployers or  other  non-health  care  institutions. 

Only  twenty-two  states  have  legislative  provisions  that  protect  computerized  or 
electronically  transferred  data.  Forty-two  states  protect  information  received  during 
the  course  of  a  physician-patient  relationship  fi-om  disclosure  in  court  proceedings, 
with  certain  exceptions.  Twenty-eight  states  provide  statutory  penalties  for  unau- 
thorized disclosure  of  health  care  information.  Twelve  impose  criminal  penalties, 
nineteen  create  civil  penalties  and  three  elQow  for  both  civil  and  criminal  penalties. 
Legislative  Survey  of  State  Confidentiality  Laws,  with  Specific  Emphasis  on  HIV 
and  Immunization,  EPIC,  February  1997. 

The  report  concludes  by  endorsing  passage  of  federal  privacy  legislation,  stating, 
"Uniform  standards  nationwide  will  result  in  more  effective  protection  of  health  in- 
formation privacy." 

The  situation  has  changed  httle  since  that  1997  report.  State  laws  are  fragmented 
and  inconsistent.  People  hving  on  opposite  sides  of  a  state  Une  have  widely  diver- 
gent privacy  protections  and  recourse  against  violations. 

In  attempting  to  fulfill  the  Health  Insurance  PortabiUty  and  Accountabihty  Act 
of  1996's  (HEPAA)  requirement  that  Congress  pass  medical  records  privacy  legisla- 
tion, we  aU  learned  a  difficult  lesson  about  the  many  competing  interests  on  this 
issue.  The  medical  records  privacy  debate  draws  in  virtually  every  fact  of  the  health 
care  industry  -doctors,  nurses,  hospitals,  nursing  homes,  insurance  companies,  blood 
banks,  tissue  banks,  laboratories,  information  processing  firms,  pharmaceutical  com- 
panies, private  and  university-based  researchers,  disease  advocacy  groups,  medical 
schools,  and  more.  Many  of  these  entities  have  very  different  ideas  about  the  appro- 
priate level  of  privacy  that  should  be  afforded  to  medical  records.  And  first  and  fore- 
most, we  must  consider  the  concerns  of  individual  Americans. 

Toda/s  hesiring  seeks  to  examine  the  recent  regulations  promulgated  by  the  De- 
partment of  Health  and  Human  Services  on  the  privacy  of  computerized  medical 
records.  In  the  broadest  sense,  these  regulations  are  a  major  step  forward.  They  rep- 
resent the  first  concerted  federal  effort  to  ensure  that  Americans'  medical  informa- 
tion is  not  treated  Ughtly.  I  commend  Secretary  Shalala  and  the  HHS  officials  re- 
sponsible for  producing  these  regulations  for  their  extremely  hard  work.  I  would  like 
to  highUght  three  concerns  raised  on  the  regulations: 

Research  Must  Not  Be  Inhibited.  As  a  former  microbiologist,  I  am  keenly 
aware  of  the  challenges  faced  by  researchers  in  obtaining,  analyzing,  and  interpret- 
ing medical  information.  Legitimate  scientific  studies  should  not  be  hampered  by 
overly  burdensome  requirements  or  regulations.  It  is  my  firm  belief  that  the  major- 
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ity  of  research  can  and  should  be  conducted  with  medical  information  that  is  not 
individually  identifiable.  Further,  I  am  deeply  concerned  that  some  industries  may 
attempt  to  obtain  medical  records  for  marketing  purposes  under  the  guise  of  "re- 
search." The  regulations  must  ensure  that  science  can  move  forward  without  com- 
promising the  privacy  of  individuals. 

Authorization  and  Consent  Forms  Must  Be  Meaningful.  Today,  most  insur- 
ance forms  contain  a  blanket  consent  paragraph  that  the  individual  must  sign  or 
risk  being  denied  coverage  for  treatment.  I  am  pleased  that  the  regulations  are  de- 
signed to  end  these  meaningless,  coercive  authorizations  and  replace  them  with  a 
more  targeted,  informative  system.  The  authorization  form  content  requirements  in 
the  HHS  regulations  are  a  major  step  in  the  right  direction.  We  must,  however,  en- 
sure that  consumers  are  not  presented  with  endless  paperwork,  printed  in  small 
type  and  written  in  bureaucratic  jargon.  Such  a  case  would  only  result  again  in  con- 
sumers signing  forms  without  reading  them  or  reviewing  their  private  rights  in  a 
meaningful  fashion. 

Effectiveness  of  the  Regulations  Should  Be  Studied.  I  would  strongly  en- 
courage HHS  to  include  explicitly  with  the  regulations  one  or  more  studies  of  their 
effectiveness.  Which  consent  forms  are  the  most  useful  for  consumers?  Are  individ- 
uals indeed  reading  authorizations  and  considering  their  privacy  rights?  Are  entities 
which  hold  medical  records  compljdng  with  the  spirit  as  well  as  the  letter  of  the 
law?  Where  are  the  remaining  loopholes  that  may  not  have  been  anticipated?  Is  re- 
search being  impacted  adversely?  Are  certain  requirements  too  burdensome?  These 
regulations  are  complex;  we  cannot  allow  them  to  be  issued  without  thoughtful  over- 
sight of  their  impact. 

Finally,  I  would  like  to  raise  a  related  issue  that  must  not  be  ignored.  While  medi- 
cal records  privacy  is  critically  important,  it  is  only  one  side  of  the  coin.  The  other 
side  of  the  coin  is  nondiscrimination.  Individuals'  private  medical  information,  and 
in  particular  their  genetic  information,  should  not  be  used  to  harm  them.  Without 
nondiscrimination  laws,  privacy  is  an  empty  protection.  Without  privacy  protection, 
nondiscrimination  laws  are  unenforceable. 

I  am  proud  to  be  a  leader  in  Congress  in  the  effort  to  ban  genetic  discrimination. 
In  1995,  I  introduced  legislation  to  ban  genetic  discrimination  when  few  Members 
were  even  aware  of  the  Human  Genome  Project.  Today  genetic  research  and  discov- 
eries are  the  subject  of  seemingly  daily  press  reports.  A  "rough  draft"  of  the  entire 
human  genome  will  be  completed  this  spring.  Over  the  past  five  years,  I  have 
worked  consistently  to  keep  these  issue  before  Members  of  Congress,  educating 
them  and  their  staffs  about  the  many  ethical,  legal  and  social  implications  of  genetic 
research. 

H.R.  306,  the  Genetic  Information  Nondiscrimination  in  Health  Insurance  Act, 
would  prohibit  insurers  from  denying,  canceling,  refusing  to  renew,  or  changing  the 
rates,  terms,  or  conditions  of  coverage  based  on  genetic  information.  This  bill  has 
the  overwhelming  support  of  212  bipartisan  cosponsors  and  over  100  health-related 
organizations.  I  am  proud  to  count  as  cosponsors  all  of  the  Health  Subcommittee 
Democrats,  as  well  as  Rep.  Nancy  Johnson. 

More  recently,  I  have  introduced  H.R.  2457,  the  Genetic  Nondiscrimination  in 
Health  Insurance  and  Employment  Act.  As  its  title  suggests,  this  bill  would  ban  dis- 
crimination in  both  health  insurance  and  employment.  Just  last  week.  President 
Chnton  endorsed  this  legislation  in  a  major  Administration  event  and  signed  an  ex- 
ecutive order  banning  genetic  discrimination  in  federal  employment. 

Unfortunately,  the  new  HHS  medical  records  privacy  regulations  do  not  ban  ge- 
netic discrimination.  Doing  so  would  have  exceeded  the  scope  of  the  HIPAA  man- 
date. It  is  therefore  up  to  Congress  to  act  on  this  critical  issue. 

We  owe  it  to  the  American  people  to  ban  genetic  discrimination.  Throughout  the 
course  of  my  work  on  this  issue,  I  have  received  heartbreaking  letters  fi"om  people 
who  want  to  take  a  genetic  test,  but  have  decided  not  to  do  so  because  they  are 
afraid  the  results  might  be  obtained  by  their  health  insurer  or  employer.  Whenever 
I  speak  to  groups  about  genetics,  I  am  inevitably  approached  by  people  afterwards 
who  describe  their  own  family  history  of  illness  and  their  fears  that  this  information 
will  be  used  against  them.  It  is  absolutely  reproachable  that  Congress  is  allowing 
this  situation  to  persist  for  milhons  of  Americans  simply  because  the  leadership  will 
not  act  upon  this  issue. 

Medical  records  privacy  is  long  overdue.  Again,  I  commend  Secretary  Shalala  and 
her  staff  for  producing  excellent  draft  regulations.  With  some  changes,  these  regula- 
tions wiU  provide  a  solid  basis  for  protecting  the  privacy  of  medical  information  in 
this  nation.  The  next  step  must  be  to  protect  Americans  against  genetic  discrimina- 
tion. Unless  we  ensure  that  this  information  cannot  be  used  to  undermine  individ- 
uals' best  interests,  the  public  wiU  rightly  stop  supporting  genetic  research.  The 
enormous  promise  of  genetic  technology  will  then  go  unfulfilled. 
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I  appreciate  having  this  opportunity  to  offer  my  comments  on  medical  records  pri- 
vacy issues,  and  I  look  forward  to  working  with  the  members  of  the  subcommittee 
to  ban  genetic  discrimination. 


Statement  of  VHA  Inc. 

On  behalf  of  the  membership  of  VHA,  we  submit  these  comments  on  the  Adminis- 
tration's proposed  regulations  regarding  privacy  of  individually  identifiable  health 
information.  VHA  supports  the  idea  that  an  individual's  medical  information  should 
remain  confidential.  However,  this  confidentiality  should  not  operate  as  a  barrier  to 
quahty  and  efficient  care.  With  this  goal  in  mind,  VHA  offers  the  following  com- 
ments on  the  proposed  regulations  that  will  have  an  enormous  impact  on  all  of 
America's  hospitals. 

VHA  is  a  nationwide  network  of  commimity-owned  health  care  systems  and  physi- 
cians. Through  shared  knowledge  and  commitment,  we  build  strength  to  improve 
community  health  and  achieve  market  success.  VHA  has  more  than  1,800  members, 
representing  many  of  America's  leading  community-owed  health  care  providers,  in 
forty-eight  states  and  the  District  of  Columbia.  That  number  represents  twenty-four 
percent  of  the  nation's  community-owned  hospitals. 

Patients  and  consumers  must  be  assured  that  any  use  of  their  medical  informa- 
tion will  be  appropriate  and  maintained  as  strictly  confidential  in  the  course  of  pro- 
viding care,  performing  essential  quahty  assurance  activities,  conducting  bona  fide 
research,  complying  with  legal  requirements,  and  performing  specific  pubUc  health 
activities. 

VHA  beUeves  that  any  regulation  should  avoid  imposing  undue  administrative 
burdens  and  costs  on  health  care  providers  and  others,  or  unnecessarily  impeding 
the  exchange  of  information  used  in  patient  care,  quahty,  and  payment.  Neither 
should  any  regulation  adversely  impact  clinical  research  or  prudent  access  to  re- 
search databases  essential  for  the  advancement  of  patient  care. 

It  is  important  for  health  care  organizations  operating  in  multiple  states  to  have 
a  consistent  guide  for  maintaining  the  confidentiaUty  of  patient  medical  informa- 
tion. Therefore,  any  federal  regulation  should  preempt  existing  state  laws  to  ensure 
a  unified  law  for  multi-state  operating  health  care  organizations. 

Patient-identifiable  health  information  is  currently  used  in  a  variety  of  activities 
to  improve  health  care  quahty.  These  activities  include  health  promotion  and  dis- 
ease prevention,  disease  management,  outcomes  research,  and  utilization  manage- 
ment. Computers,  electronic  communication  and  the  rapidly  increasing  knowledge 
about  human  genetics  are  vastly  improving  quahty  of  care.  However,  the  wide- 
spread use  of  electronic  technology  to  store,  transmit,  and  use  health  record  infor- 
mation has  raised  questions  about  the  safety  and  security  of  confidential  health  in- 
formation. It  is  important  that  patients  and  consumers  be  assiired  that  any  use  of 
their  personal  medical  information  is  appropriately  maintained  as  confidential. 

VHA  aids  its  members  in  the  development  of  sound  operational  efficiencies  that 
result  in  both  clinical  and  ecqnonaic  benefits.  The  federal  government  has  long  recog- 
nized the  need  for  such  efficiencies  and  has  exhibited  its  commitment  to  encourag- 
ing them  through  the  implementation  of  various  prospective  payment  systems  in  the 
Medicare  program.  VHA's  activities  are  consistent  with  the  federal  priority  to  re- 
quire operational  efficiencies  at  all  levels  in  the  health  care  industry. 

To  achieve  its  goals,  VHA  beheves  that  HHS  should  clarify  the  definition  of 
"health  care  operations"  and  include  a  definition  of  "marketing." 

First,  the  definition  of  "health  care  operations"  needs  to  be  expanded. 
Under  the  proposed  regulations,  covered  entities,  such  as  VHA  members,  would  not 
need  to  seek  authorizations  for  uses  or  disclosures  of  protected  health  information 
CTHI")  that  relate  to  "health  care  operations."  As  currently  written,  the  definition 
of  "health  care  operations"  includes  specific  activities  "for  the  purpose  of  carrying 
out  the  management  functions  of  [covered  entities]  necessary  for  the  support  of 
treatment  or  payment."  VHA  applauds  HHS  for  its  recognition  that  uses  of  PHI  for 
purposes  that  are  "compatible  with  and  directly  related  to"  treatment  and  payment 
should  be  exempt  from  a  general  authorization  requirement.  WhUe  the  definition  of 
"health  care  operations"  acknowledges  this  fact,  some  activities  have  been  over- 
looked, creating  ambiguities  that  could  inhibit  the  nation's  hospitals'  abihty  to  pro- 
vide high-quahty  patient  care  and  hospital  efficiency. 

VHA  is  concerned  about  the  status  of  activities  related  to  sound  chnical  and  oper- 
ational efficiencies  under  these  regulations.  One  critical  aspect  of  patient  care  is  the 
abihty  of  hospital  clinicians  to  work  together  to  ensure  that  each  physician  has  met 
the  hospital's  goal  of  clinical  and  operational  efficiency.  One  aspect  of  this  team  ap- 
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proach  involves  the  review  of  the  provisions  of  medical  drugs  and  devices  by  provid- 
ers. These  reviews  require  that  other  members  of  the  hospital  staff  have  access  to 
medical  records,  which  include  PHI.  The  staff  members  must  work  together  with 
physicians  to  review  relevant  medical  records  to  determine  the  most  efficacious  and 
economic  drug  or  device  for  patients. 

The  definition  of  "health  care  operations"  needs  to  be  clarified  to  ensure  that 
these  types  of  reviews  come  within  the  tier  of  activities  for  which  patient  authoriza- 
tions are  not  required. 

While  these  reviews  most  likely  fall  within  "health  care  operations"  as  one  aspect 
of  "evaluating  practitioner  and  provider  performance"  or  as  part  of  internal  quality 
oversight,  the  fit  is  not  absolutely  clear  fi:-om  the  text  of  the  proposed  regulations. 
As  the  preamble  notes,  the  intent  of  the  regulations  is  "to  make  the  exchange  of 
[PHI]  relatively  easy  for  health  care  purposes."  These  reviews  are  an  important 
health  care  purpose. 

While  VHA  does  not  believe  HHS  intended  to  exclude  these  types  of  reviews  from 
the  definition  of  "health  care  operations,"  we  seek  clarification  as  to  their  status. 
Therefore,  we  suggest  that  HHS  augment  the  definition  of  "health  care  operations" 
by  including  in  the  text  of  the  regulation  itself  "engaging  in  activities  related  to 
achieving  clinical  and  operational  efficiencies"  in  subparagraph  two  of  the  definition. 
This  clarification  should  be  extended  to  the  preamble  as  well. 

The  financial  gain  notice  requirement  should  be  narrowed.  Under  the  pro- 
posed regulations,  a  covered  entity  must  include  a  statement  regarding  the  financial 
gain  associated  with  a  use  or  disclosure  of  PHI  when  the  covered  entity  requests 
an  authorization  for  the  use  or  disclosure  that  will  result  in  financial  gain  to  the 
entity.  In  the  preamble,  HHS  clearly  describes  its  concerns  about  financial  gains  re- 
sulting fi:-om  marketing  activities. 

VHA  understands  the  concerns  regarding  the  use  of  PHI  for  inappropriate  mar- 
keting activities,  but  the  proposed  language  of  the  regulation  is  too  broad  and  re- 
stricts other  necessary  activities  that  may  also  result  in  financial  gain  to  a  covered 
entity.  For  example,  when  a  hospital  reviews  a  physician's  prescription  of  drugs  or 
use  of  devices  for  his/her  patients  to  achieve  sound  clinical  and  operational  effi- 
ciencies, the  hospital,  as  well  as  the  patient,  the  community,  the  federal  government 
in  its  role  as  a  payer  for  health  care,  and  indeed  the  entire  health  care  system  re- 
ceive economic  gain.  This  goal  of  providing  high  quality  clinical  care  that  is  also 
operationally  sound  is  the  same  as  that  embraced  by  the  Congress  and  the  Adminis- 
tration through  its  creation  of  the  prospective  payment  systems. 

VHA  does  not  believe  HHS  intended  to  create  such  an  impediment  to  the  use  of 
sound  operational  efficiencies.  Thus,  VHA  suggests  that  the  financial  gain  statement 
requirement  at  45  C.F.R.  §  164.508(d)(iv)  be  narrowed  to  read:  "(iv)  Where  use  or 
disclosure  of  the  requested  information  will  result  in  financial  gain  to  the  entity  that 
is  unrelated  to  the  care  of  the  individual  or  the  sound  clinical  or  operational  effi- 
ciencies of  the  covered  entity,  a  statement  that  such  gain  will  result."  The  preamble 
should  also  be  modified  to  reflect  this  modification. 

The  "minimum  necessary"  standard  must  be  tightened  so  as  not  to  divert 
necessary  resources  from  patients  and  to  address,  in  a  practical  manner, 
the  uses  and  disclosures  of  PHI  in  day-to-day  patient  care.VHA  is  concerned 
that,  as  currently  described,  the  "minimum  necessary"  standard  will  inhibit  the  de- 
livery of  high  quality,  cost-effective  health  care.  While  it  is  clear  that  some  uses  or 
disclosures  of  PHI  may  not  require  all  of  the  PHI  located  in  a  medical  record,  other 
uses  will  require  this  complete  set  of  information.  Because  a  vast  number  of  medical 
records  remain  on  paper,  abstracting  can  be  an  enormous  impediment  to  accom- 
plishing the  minimum  necessary  goal.  Although  well-intentioned,  this  standard  wiU 
divert  even  more  scarce  resources  from  patient  care  to  administrative  fimctions. 

Secondly,  it  is  unreasonable  to  expect  that  an  appointed  person  or  group  will  al- 
ways be  able  to  discern  the  "correct"  amoimt  of  information  necessary  for  a  particu- 
lar purpose,  especially  as  related  to  treatment  and  certain  aspects  of  health  care  op- 
erations. For  example,  what  might  not  seem  important  to  the  appointed  person  may 
become  vitally  important  at  a  later  date  in  the  patient's  treatment.  If  the  informa- 
tion is  missing,  the  patient's  medical  needs  would  not  be  met.  The  provider  might 
not  even  realize  until  too  late  that  the  record  he/she  had  received  had  been  re- 
dacted. 

VHA  members  involved  in  reviewing  the  provision  of  drugs  and  devices  by  provid- 
ers could  also  be  severely  hampered.  On  the  surface  the  individual  determining  the 
"minimum  necessary"  amount  might  believe  that  only  the  diagnosis  and  medicine 
prescribed  is  required  reviewing  a  provider's  prescription  practices.  For  the  review 
to  meet  its  goals  of  improving  clinical  and  operational  efficiencies,  however,  it  is 
often  necessary  to  know  the  patients'  entire  histories  so  that  reviewers  can  deter- 
mine why  a  physician  might  have  selected  certain  drugs  or  devices.  Redacting 
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records,  even  with  the  best  of  intentions,  may  make  quality  reviews  inefficient  or 
completely  impossible.  ,        ,  ^.   .       ,     ,  -,  ,     ,  . 

Thus,  VHA  suggests  that  the  standard  be  tightened.  Fu-st,  it  should  be  clear  that 
in  the  case  of  treatment  and  health  care  operations,  the  minimum  necessary  stand- 
ard should  be  modified.  In  the  case  of  uses  or  disclosures  for  treatment,  the  mini- 
mum necessary  standard  should  apply  only  to  the  number  of  individuals  who  obtain 
the  PHI,  not  the  amount  of  information  because  the  vast  majority  of  cases  will  need 
a  full  record.  To  do  otherwise  threatens  patient  care.  For  health  care  operations,  the 
text  already  creates  an  exception  for  "audits  and  related  purposes."  This  exception 
should  be  clarified  so  that  important  health  management  reviews  of  provider  prac- 
tices are  also  not  subject  to  the  standard  in  terms  of  amounts  of  data,  but  only  in 
terms  of  the  number  of  people  with  access  to  the  information. 

Second,  the  explanation  of  the  standards  describing  the  factors  that  the  Secretary 
expects  to  be  used  in  making  the  minimum  necessary  determinations  should  be 
made  part  of  the  text  of  the  regulation.  Otherwise,  the  standard  is  too  vague  to  be 
workable  and  creates  the  risk  that  the  courts  who  will  ultimately  determine  the 
meaning  of  "reasonable,"  will  rely  on  a  different  analysis. 

Whistleblowers  should  be  held  to  a  "reasonableness"  standard  or  not  be 
exempt  from  the  "minimum  necessary"  requirement  entirely.  As  HHS  recog- 
nizes, the  role  of  whistleblowers  has  been  etched  into  efforts  to  curb  fi-audulent  be- 
havior. VHA  understands  the  need  to  allow  these  individuals  to  report  abuses  to 
health  oversight  agencies,  law  enforcement  officials,  or  attorneys.  The  broad  protec- 
tion afforded  whistleblowers  in  these  regulations,  however,  erodes  the  protection  of 
an  individual's  confidentiaHty,  which  constitutes  the  heart  of  the  regulations. 

VHA  is  troubled  by  this  provision  generally.  At  a  minimum,  we  suggest  that  ad- 
dressing three  basic  problems  with  the  provision  would  aid  in  ameliorating  these 
concerns.  First,  the  provision  currently  permits  an  individual  to  disclose  PHI  on  a 
"beUef."  This  standard  is  too  broad  and  unenforceable.  Other  areas  of  law  tradition- 
ally focus  on  a  "reasonableness"  standard,  which  is  stronger  than  that  of  a  "belief." 
Under  a  reasonableness  standard,  a  whistleblower  would  not  be  hable  for  the  disclo- 
sure if  a  reasonable  person  would  have  evaluated  the  particular  act  as  a  violation 
of  the  laws.  Thus,  he/she  is  held  to  a  societal  standard  that  can  be  objectively  evalu- 
ated and  provides  some  level  of  protection  for  those  whose  information  is  disclosed. 
A  "behef  standard,  however,  is  subjective,  making  it  almost  impossible  to  find  that 
the  whistleblower  erred.  As  noted  in  the  preamble,  a  balance  must  be  achieved  so 
that  whistleblowers  are  not  completely  discouraged  fi-om  playing  their  vital  role. 
This  provision  is  not  balanced,  but  rather  lopsided  and  provides  no  check  on  disclo- 
sures of  this  type.  Thus,  HHS  should  adopt  the  widely  accepted  reasonableness 
standard  of  tort  law,  as  the  standard  which  provides  protection  for  both  individuals 
and  whistleblowers,  by  which  to  judge  these  disclosures. 

Secondly,  the  provision  provides  whistleblowers  with  carte  blanche  to  disclose  any 
amount  of  PHI  they  desire.  This  allowance  rips  away  the  very  protection  at  the  cen- 
ter of  the  regulations.  Thus,  while  covered  entities  work  diligently  to  protect  each 
individual's  confidentiaHty,  their  employees,  without  any  Limitations,  can  breach 
that  confidentiaHty  in  the  name  of  a  'l^elieved"  abuse.  VHA  suggests  that  this  provi- 
sion be  Hmited  by  requiring  whistleblowers  to  apply  the  "minimum  necessary" 
standard  appHcable  to  covered  entities  and  their  business  pari-ners.  Whistleblowers 
wiU  not  be  deterred  because  the  reasonableness  standard  wiU  protect  them.  If  their 
calculation  of  the  amount  of  PHI  they  disclosed  was  reasonable,  they  wLQ  not  be 
subject  to  sanctions.  If  not,  however,  the  employee  can  be  reprimanded.  This  ap- 
proach strikes  the  right  balance  that  permits  good  faith  attempts  to  report  abuses 
and  creates  an  incentive  not  to  disclose  PHI  maHciously  or  without  reason. 

Third,  as  drafted  the  provision  aUows  whistleblowers  to  disclose  PHI  to  any  attor- 
ney for  the  purpose  of  determining  whether  a  violation  of  law  has  occurred.  Permit- 
ting disclosures  to  any  is  extremely  problematic.  In  addition  to  vastly  increasing  the 
number  of  individuals  to  whom  PHI  can  be  disclosed,  it  estabHshes  no  restrictions 
on  how  these  attorneys  can  further  use  or  disclose  the  PHI  in  the  future  because 
they  are  neither  covered  entities  nor  business  partners  and,  therefore,  not  subject 
to  the  regulations.  Thus,  the  protection  of  patient  confidentiaHty,  which  is  the  point 
of  this  entire  regulatory  scheme,  is  severely  hampered  by  this  aspect  of  the  whistle- 
blower  provision.  VHA  suggests  that  HHS  clarify  this  provision  to  limit  the  entities 
to  whom  PHI  can  be  disclosed  for  purposes  of  whistleblower  activities  to  law  en- 
forcement officials  and  oversight  agencies  or  individuals  designated  by  the  covered 
entity  to  deal  with  such  concerns. 

Tsiken  together,  these  broad,  subjective  aspects  of  the  whistleblower  provision 
work  to  destroy  the  right  to  confidentiaHty  HHS  has  attempted  to  craft.  Thus,  if 
maintained,  this  provision  should  be  significantly  revised. 
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Conclusion 

VHA  appreciates  the  opportunity  to  present  its  views  on  this  important  issue.  We 
agree  that  "a  clear  and  consistent  set  of  privacy  standards"  are  needed  "to  improve 
the  effectiveness  and  the  efficiency  of  the  health  care  system."  Because  of  the  vast 
nature  of  the  proposed  regulations,  the  final  regulations  must  present  both  the 
health  care  community  and  the  individual  whose  PHI  is  being  used  and  disclosed 
with  a  clear  picture  of  what  is  required.  However,  these  requirements  should  not 
sacrifice  America's  high  standard  of  health  care.  Thus,  VHA  offers  these  comments 
as  an  important  step  in  the  national  conversation  about  this  issue. 
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